ESXi Firewall Disabled Detection

The disabling of the ESXi firewall can expose critical infrastructure to significant risk. Threat actors often disable or weaken the ESXi firewall to facilitate lateral movement within the environment, enabling them to access sensitive data or install malicious software. This detection focuses on identifying instances where the ESXi firewall has been disabled, based on syslog data. The ESXi firewall is a critical component for securing the ESXi hypervisor, which is the foundation for virtualized environments. Disabling it creates a direct path for attackers to compromise the host and any virtual machines running on it. This activity can be associated with ransomware campaigns like Black Basta, and also China-Nexus threat activity, highlighting the diverse range of adversaries who may employ this technique.

Attack Chain

1. Initial Compromise: An attacker gains initial access to the network through various means, such as exploiting a vulnerability in a network service or through compromised credentials.
2. Privilege Escalation: The attacker escalates privileges to gain administrative access within the ESXi environment. This might involve exploiting vulnerabilities in the ESXi software or leveraging misconfigured permissions.
3. Firewall Configuration Modification: Using elevated privileges, the attacker disables the ESXi firewall or sets it to a permissive mode. This can be achieved via command-line tools or the vSphere client.
4. Lateral Movement: With the firewall disabled, the attacker can now move laterally within the ESXi environment, accessing other virtual machines and ESXi hosts on the network.
5. Data Exfiltration: The attacker identifies and exfiltrates sensitive data from the compromised virtual machines. This data can include customer data, financial records, or intellectual property.
6. Malware Installation: The attacker installs malicious software, such as ransomware, on the compromised virtual machines or ESXi hosts.
7. Ransomware Deployment / System Corruption: The installed ransomware encrypts the data on the compromised systems, rendering them inaccessible until a ransom is paid. Alternatively, the attacker may corrupt critical system files, causing system instability or failure.

Impact

Successful exploitation can lead to a complete compromise of the ESXi environment. Disabling the firewall can expose all virtual machines and ESXi hosts to unauthorized access, leading to data breaches, ransomware attacks, and significant disruption of services. Organizations that rely heavily on virtualization, such as cloud service providers and large enterprises, are particularly vulnerable. The impact could include significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Configure ESXi systems to forward syslog output to a SIEM and ensure it is ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs to enable the correlation of ESXi firewall status changes (reference: esxi_syslog data source).
• Deploy the provided Sigma rule to your SIEM to detect instances where the ESXi firewall is disabled (reference: Sigma rule).
• Investigate any alerts generated by this rule promptly to determine the root cause and scope of the compromise (reference: Sigma rule).
• Review and harden ESXi security configurations to minimize the risk of unauthorized access and privilege escalation (reference: description).
• Implement multi-factor authentication for all ESXi administrative accounts to prevent credential compromise (reference: description).