A new Ransomware as a Service (RaaS) operation called MichaelKors has become the latest file-encrypting malware targeting Linux and VMware ESXi systems as of April 2023.
The development shows that cybercriminals are increasingly turning to ESXi, says cybersecurity firm CrowdStrike, in a report shared with The Hacker News.
“This trend is particularly notable given the fact that ESXi, by design, does not support third-party agents or AV software,” the company said.
“In fact, VMware even claims that you don’t need a hypervisor. This, combined with the popularity of ESXi, which is widely used as a virtualization and management system, makes hypervisors very attractive to modern adversaries.” It has become a target.”
Targeting VMware ESXi hypervisors with ransomware to amplify such campaigns is a technique known as hypervisor jackpotting. Over the years, this approach has been taken by several ransomware groups, including Royal.
Additionally, an analysis by SentinelOne last week revealed that 10 different ransomware families, including Conti and REvil, leveraged the leaked Babuk source code in September 2021 to develop lockers for the VMware ESXi hypervisor. It became clear.
Other notable electronic crime syndicates that have updated their arsenal to target ESXi include ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.
One of the reasons the VMware ESXi hypervisor is such an attractive target is that the software runs directly on the physical server, allowing a potential attacker to run malicious ELF binaries and gain access to the underlying machine. Because it gives you free access to resources.
An attacker attempting to breach the ESXi hypervisor can use compromised credentials to carry out the attack, then gain elevated privileges and then move laterally within the network or exploit known flaws. You can escape the limitations of your environment to move forward with your motivation.
In a knowledge base article last updated in September 2020, VMware stated, “The vSphere Hypervisor does not require antivirus software and the use of such software is not supported.”
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
“Increasingly, attackers are using security tools, lack of proper network segmentation of ESXi interfaces, and [in-the-wild] ESXi vulnerabilities create a target-rich environment,” said CrowdStrike.
Ransomware attackers are part of the only group attacking virtual infrastructure. In March 2023, his Mandiant, owned by Google, determined that it was the Chinese nation-state group that used new backdoors called VIRTUALPITA and VIRTUALPIE in attacks targeting VMware ESXi servers.
To mitigate the impact of hypervisor jackpots, organizations should avoid direct access to ESXi hosts, enable two-factor authentication, make regular backups of ESXi datastore volumes, apply security updates, and A security posture review is recommended.
“Attackers will likely continue to target VMware-based virtualization infrastructures,” said CrowdStrike. “This is a major concern as more organizations continue to move their workloads and infrastructure all the way through VMWare Hypervisor environments to cloud environments.”
