{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vsphere/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi","vSphere"],"_cs_severities":["high"],"_cs_tags":["esxi","vib","tampering","vmware"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis brief focuses on detecting the modification of the VIB (vSphere Installation Bundle) acceptance level on ESXi hosts. Attackers can leverage this technique to weaken the system's security posture. Specifically, changing the acceptance level to \u0026quot;CommunitySupported\u0026quot; or similar settings reduces the enforcement of integrity checks, allowing for the installation of potentially malicious or unverified software. While the original Splunk detection was published in 2026, this activity remains relevant in current environments. This activity is commonly associated with post-compromise activity during ransomware attacks such as Black Basta, or associated with threat groups such as China-Nexus.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting vulnerabilities in vSphere services.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands via the ESXi shell to modify the VIB acceptance level. This often involves using the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the VIB acceptance level to a less restrictive setting, such as \u0026quot;CommunitySupported\u0026quot; or \u0026quot;AcceptanceLevelUnset\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe ESXi host's integrity checks are effectively weakened, allowing for the installation of unsigned or unverified VIBs.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious VIB containing backdoors, rootkits, or other malicious payloads, such as custom scripts or binaries.\u003c/li\u003e\n\u003cli\u003eThe malicious VIB is loaded and executed by the ESXi host, providing the attacker with persistent access or the ability to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may use this access to move laterally within the virtualized environment, compromise other virtual machines, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data encryption for ransom, data exfiltration, or disruption of services within the targeted environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising the VIB acceptance level allows attackers to install malicious software on ESXi hosts. This can lead to complete host compromise, lateral movement within the virtualized environment, data theft, or ransomware deployment. Organizations in various sectors, including finance, healthcare, and critical infrastructure, are potentially at risk. Successful exploitation can result in significant financial losses, reputational damage, and disruption of critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to a central log management system for monitoring (VMWare ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eESXi VIB Acceptance Level Tampering\u003c/code\u003e to detect modifications to the VIB acceptance level.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected changes to the VIB acceptance level, focusing on the user and source of the command.\u003c/li\u003e\n\u003cli\u003eReview and harden ESXi host access controls and credential management practices to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of unsigned or unverified VIBs on ESXi hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/","summary":"Attackers modify the ESXi VIB acceptance level to install unsigned or unverified software, weakening the host's integrity enforcement.","title":"ESXi VIB Acceptance Level Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - VSphere","version":"https://jsonfeed.org/version/1.1"}