<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>T1078 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/t1078/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/t1078/feed.xml" rel="self" type="application/rss+xml"/><item><title>ESXi External Root Login Activity Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-esxi-root-login/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-esxi-root-login/</guid><description>Detection of ESXi UI access using the root account from external IP addresses, bypassing role-based access controls and potentially indicating unauthorized activity or compromised credentials.</description><content:encoded><![CDATA[<p>This brief addresses the risk of unauthorized access to VMware ESXi hosts through direct root login activity. The focus is on detecting instances where the ESXi UI is accessed using the root account from IP addresses outside of defined internal ranges. This activity is flagged because it bypasses role-based access controls and standard auditing practices, raising the potential for misconfiguration, unauthorized actions, or even a malicious actor leveraging compromised credentials to gain control of the ESXi host. The detection logic relies on analyzing ESXi syslog data, specifically looking for login events associated with the &quot;root&quot; user. By excluding internal IP ranges, the detection aims to highlight potentially suspicious external access attempts. Identifying and responding to such activity promptly is critical for maintaining the integrity and security of the virtualized environment and preventing further exploitation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to network, potentially through phishing or exploiting a vulnerable service.</li>
<li>Attacker performs network reconnaissance to identify ESXi hosts and their IP addresses.</li>
<li>Attacker attempts to access the ESXi UI using the root account, likely through brute-force or credential stuffing attacks.</li>
<li>ESXi host logs the successful root login event in the syslog.</li>
<li>The syslog message contains the source IP address of the attacker and the hostname of the ESXi host.</li>
<li>The security monitoring system ingests the syslog data and triggers an alert based on the detection rule.</li>
<li>Attacker gains full administrative control of the ESXi host, allowing them to create, modify, or delete virtual machines.</li>
<li>The attacker can then leverage the compromised ESXi host to move laterally within the network, deploy ransomware, or exfiltrate sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromise of an ESXi host grants an attacker significant control over the virtualized environment. This can lead to the theft or destruction of sensitive data stored on virtual machines, disruption of critical services, and further lateral movement within the network. Depending on the size and scope of the virtualized infrastructure, this could impact dozens or even hundreds of virtual machines. The &quot;Black Basta Ransomware&quot; analytic story tag indicates that this activity is relevant to ransomware attacks, where attackers might target ESXi hosts to encrypt virtual machines for extortion.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Configure ESXi hosts to forward syslog output to a centralized logging server, ensuring comprehensive logging of security events (VMWare ESXi Syslog data_source).</li>
<li>Deploy the provided Sigma rule <code>ESXi External Root Login</code> to your SIEM to detect unauthorized root login attempts from external IP addresses. Tune the rule's IP address exclusions to match your organization's internal network ranges.</li>
<li>Investigate all alerts generated by the Sigma rule, focusing on the source IP address and the accessed ESXi host to determine the legitimacy of the login attempt.</li>
<li>Implement multi-factor authentication (MFA) for all ESXi administrative accounts to mitigate the risk of credential compromise.</li>
<li>Review and enforce strong password policies for all ESXi accounts, including the root account.</li>
<li>Restrict network access to the ESXi UI to only authorized IP addresses or networks using firewall rules.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esxi</category><category>vmware</category><category>root_login</category><category>unauthorized_access</category><category>t1078</category></item></channel></rss>