{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1005/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","exfiltration","t1005"],"_cs_type":"advisory","_cs_vendors":["VMWare"],"content_html":"\u003cp\u003eThis brief addresses the threat of malicious actors exfiltrating virtual machine disk files from ESXi datastores using remote tools. This technique abuses the Network File Copy (NFC) protocol, which is typically used by legitimate management tools for transferring files to and from ESXi hosts. Attackers can exploit this protocol to steal full virtual disk images, potentially gaining access to sensitive data, configurations, and credentials stored within the VMs. The risk is heightened in environments where ESXi hosts are exposed to internal networks or where insider threats are a concern. This behavior is also associated with post-compromise activity related to ransomware groups such as Black Basta. Defenders should monitor for unusual NFC traffic and unauthorized access to virtual disk files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the network or obtains valid credentials for ESXi hosts.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target ESXi host and datastore containing valuable virtual machine disk files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a remote tool (potentially masquerading as a legitimate management utility) to initiate an NFC session with the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe remote tool issues commands to locate and select the target VMDK files within the datastore, using the VM path to identify the target.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a file download operation using the NFC protocol to transfer the VMDK files to a remote location.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs the file download event, including the initiator's IP address, tool name, and destination.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the downloaded VMDK files from the remote location.\u003c/li\u003e\n\u003cli\u003eThe attacker mounts and analyzes the VMDK files to extract sensitive data or gain further access to the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of virtual machine disk files can have severe consequences. Attackers can gain access to sensitive data stored within the VMs, including customer data, financial records, and intellectual property. This can lead to data breaches, financial losses, and reputational damage. The exfiltration can also provide attackers with credentials and configuration information that can be used to further compromise the environment. The activity is also associated with ransomware groups such as Black Basta, which may encrypt systems after data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Syslog on ESXi hosts and forward logs to a SIEM for analysis to detect the attack chain described above.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi VM Exported via Remote Tool Detection\u003c/code\u003e to identify unauthorized VMDK downloads (VMWare ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on unusual source IPs, destination hosts, and remote tools (ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to restrict access to ESXi hosts and datastores, mitigating the risk of unauthorized exfiltration (Network).\u003c/li\u003e\n\u003cli\u003eMonitor for network traffic indicative of large file transfers from ESXi hosts to unusual destinations (network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vm-exfiltration/","summary":"Attackers or malicious insiders may leverage remote tools and the NFC protocol to download virtual machine disk files from ESXi datastores, potentially leading to sensitive data exfiltration.","title":"ESXi VM Exfiltration via Remote Tool","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vm-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - T1005","version":"https://jsonfeed.org/version/1.1"}