{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/virtual_machine/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","virtual_machine","ransomware","denial_of_service"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis brief addresses the abrupt termination of virtual machines on VMware ESXi hosts, a behavior that can indicate malicious activity. Attackers might employ this technique for various purposes, including causing a denial-of-service (DoS), staging ransomware attacks, or disrupting critical workloads by terminating VMs. While the specific actors behind such attacks can vary, the impact on affected organizations is significant. The detection logic focuses on identifying specific command patterns within ESXi syslog data that signal bulk VM termination, enabling security teams to respond swiftly to potential threats. This activity is associated with post-compromise scenarios on ESXi infrastructure and has been linked to ransomware groups like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the ESXi host through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands via the ESXi shell or through \u003ccode\u003eesxcli\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003eesxcli vm process list\u003c/code\u003e to enumerate running virtual machines on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output of \u003ccode\u003eesxcli vm process list\u003c/code\u003e using \u003ccode\u003eawk\u003c/code\u003e or similar tools to extract VM process IDs.\u003c/li\u003e\n\u003cli\u003eAttacker uses \u003ccode\u003eesxcli vm process kill\u003c/code\u003e with the \u003ccode\u003e--format-param\u003c/code\u003e option to terminate multiple virtual machine processes.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003epkill -9 vmx-*\u003c/code\u003e to forcibly terminate all VM processes.\u003c/li\u003e\n\u003cli\u003eVirtual machines are abruptly shut down, leading to data loss and service disruption.\u003c/li\u003e\n\u003cli\u003eThe attack may be a precursor to data exfiltration or encryption as part of a ransomware attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful bulk VM termination can lead to significant disruption of services, data loss, and potential financial losses. The number of victims and the scope of impact depend on the criticality of the virtual machines affected. In ransomware scenarios, this action serves to maximize the impact and pressure victims into paying the ransom. Sectors heavily reliant on virtualization, such as cloud providers, financial institutions, and healthcare organizations, are particularly vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to your SIEM to collect the necessary data (VMWare ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect bulk VM termination activity and tune them based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules to determine the scope and impact of the activity.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls to ESXi hosts to prevent unauthorized command execution.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting or alerting on ESXi command execution to detect anomalous activity.\u003c/li\u003e\n\u003cli\u003eIngest logs with the appropriate Splunk Technology Add-on for VMware ESXi Logs, ensuring field extractions and CIM compatibility, to properly utilize the provided Splunk search query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-bulk-vm-termination/","summary":"Detection of abrupt virtual machine termination on ESXi hosts, potentially indicating denial-of-service, ransomware staging, or destruction of critical workloads.","title":"ESXi Bulk VM Termination Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-bulk-vm-termination/"}],"language":"en","title":"CraftedSignal Threat Feed - Virtual_machine","version":"https://jsonfeed.org/version/1.1"}