{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vib/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["vmware","esxi","vib","tampering","post-compromise","ransomware"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting tampering with the vSphere Installation Bundle (VIB) acceptance level on ESXi hosts. Attackers may attempt to modify the VIB acceptance level, typically using the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command, to bypass security controls and install malicious or unsigned software. The default acceptance levels ensure that only VMware-approved or trusted vendor-signed packages are installed, maintaining system integrity. By lowering this level, for example, to \u0026ldquo;CommunitySupported\u0026rdquo;, an attacker can introduce unsigned VIBs, potentially leading to persistent compromise, data exfiltration, or disruption of virtualized workloads. This activity is often observed post-compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is gained through an exploit or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to execute commands with \u003ccode\u003eshell\u003c/code\u003e access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command to modify the VIB acceptance level, potentially setting it to \u003ccode\u003eCommunitySupported\u003c/code\u003e to allow unsigned VIBs.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious VIB package onto the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe malicious VIB executes its payload, which could include installing a backdoor, modifying system configurations, or stealing data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by hiding the malicious VIB or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised ESXi host to move laterally within the virtualized environment, targeting other virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as deploying ransomware or exfiltrating sensitive data from the virtualized environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the VIB acceptance level can lead to the installation of malicious software on ESXi hosts, resulting in the compromise of virtual machines and the entire virtualized infrastructure. This can lead to data breaches, system instability, and significant operational disruption. The Black Basta ransomware group has been known to target ESXi environments, highlighting the importance of detecting this type of activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ESXi syslog forwarding to a central log management system to capture relevant events (data_source: \u0026ldquo;VMWare ESXi Syslog\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi VIB Acceptance Level Tampering\u003c/code\u003e to detect changes to the VIB acceptance level (rule: \u0026ldquo;ESXi VIB Acceptance Level Tampering\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor ESXi hosts for unusual process execution and file modifications, especially related to VIB installation (rule: \u0026ldquo;Suspicious ESXi VIB Installation\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command being used (rule: \u0026ldquo;ESXi VIB Acceptance Level Tampering\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-vib-tampering/","summary":"This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.","title":"ESXi VIB Acceptance Level Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Vib","version":"https://jsonfeed.org/version/1.1"}