<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>VSphere - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/vsphere/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/vsphere/feed.xml" rel="self" type="application/rss+xml"/><item><title>ESXi VIB Acceptance Level Tampering</title><link>https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/</guid><description>Attackers modify the ESXi VIB acceptance level to install unsigned or unverified software, weakening the host's integrity enforcement.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the modification of the VIB (vSphere Installation Bundle) acceptance level on ESXi hosts. Attackers can leverage this technique to weaken the system's security posture. Specifically, changing the acceptance level to &quot;CommunitySupported&quot; or similar settings reduces the enforcement of integrity checks, allowing for the installation of potentially malicious or unverified software. While the original Splunk detection was published in 2026, this activity remains relevant in current environments. This activity is commonly associated with post-compromise activity during ransomware attacks such as Black Basta, or associated with threat groups such as China-Nexus.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting vulnerabilities in vSphere services.</li>
<li>The attacker executes commands via the ESXi shell to modify the VIB acceptance level. This often involves using the <code>esxcli software acceptance set</code> command.</li>
<li>The attacker changes the VIB acceptance level to a less restrictive setting, such as &quot;CommunitySupported&quot; or &quot;AcceptanceLevelUnset&quot;.</li>
<li>The ESXi host's integrity checks are effectively weakened, allowing for the installation of unsigned or unverified VIBs.</li>
<li>The attacker installs a malicious VIB containing backdoors, rootkits, or other malicious payloads, such as custom scripts or binaries.</li>
<li>The malicious VIB is loaded and executed by the ESXi host, providing the attacker with persistent access or the ability to perform malicious actions.</li>
<li>The attacker may use this access to move laterally within the virtualized environment, compromise other virtual machines, or exfiltrate sensitive data.</li>
<li>The final objective is often data encryption for ransom, data exfiltration, or disruption of services within the targeted environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromising the VIB acceptance level allows attackers to install malicious software on ESXi hosts. This can lead to complete host compromise, lateral movement within the virtualized environment, data theft, or ransomware deployment. Organizations in various sectors, including finance, healthcare, and critical infrastructure, are potentially at risk. Successful exploitation can result in significant financial losses, reputational damage, and disruption of critical services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Configure ESXi hosts to forward syslog output to a central log management system for monitoring (VMWare ESXi Syslog).</li>
<li>Deploy the provided Sigma rule <code>ESXi VIB Acceptance Level Tampering</code> to detect modifications to the VIB acceptance level.</li>
<li>Investigate any detected changes to the VIB acceptance level, focusing on the user and source of the command.</li>
<li>Review and harden ESXi host access controls and credential management practices to prevent unauthorized access.</li>
<li>Monitor for the installation of unsigned or unverified VIBs on ESXi hosts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esxi</category><category>vib</category><category>tampering</category><category>vmware</category></item></channel></rss>