CrowdStrike reports that ransomware criminals are increasingly attacking VMware’s ESXi hypervisor. Many systems are susceptible, mainly due to a lack of security tools.
CrowdStrike’s blog is the third in the series on so-called hypervisor jackpotting. In February, thousands of attacks on ESXi servers occurred within a single weekend. VMware also uses the term ‘vSphere Hypervisor’ to refer to ESXi. The hypervisor differs from other VM management services in that it runs directly on the host’s hardware.
This is an attack tactic that exploits two old vulnerabilities in ESXi software. These vulnerabilities are known as CVE-2020-3992 and CVE-2021-21974. The former allows remote code execution, which facilitates the deployment of ransomware. The second vulnerability was first exploited in the February attacks to execute code on VMware ESXi instances.
CrowdStrike cites advice from VMware, which states that its hypervisor service does not support antivirus software. The lack of support allows ransomware criminals to have their way.
The attacks are so dangerous because VM services are critical to many IT environments. VMware is a significant player when it comes to providing virtual machine services. CrowdStrike sees many opportunities for cybercriminals to attack virtual infrastructures. Indeed, a single vulnerability can move and multiply in these environments.
The effects vary. First, the most obvious motivation for criminals is to steal login details. Then, one can access privileges that depend on the hijacked account: in the worst cases, one can execute programming code. This applies even to the most recent versions of ESXi software.
Virtual machines can become accessible to attackers in several ways. For example, accessing a poorly segregated VM is possible, with the ESXi servers not even needing to be attacked. With better segmentation, CrowdStrike still sees plenty of problems getting to the hypervisor via VMs, which requires additional exploits. So-called “VM escape exploits” allow attackers to go down a roadmap to exploit vulnerabilities in ESXi software.
In other words, it’s a big problem, according to CrowdStrike’s research team. Indeed, it is only increasing.
In the first quarter of 2023, several Ransomware-as-a-Service services facilitated ESXi attacks. According to CrowdStrike, cybercriminals are increasingly recognizing that this exploitation provides fertile ground for their practices. For example, the RaaS program MichaelKors provides binaries that target Windows and ESXi/Linux systems. In addition, CrowdStrike refers to fellow researchers at Mandiant abusing a remote administration tool (RAT). In this case, the affected server remains vulnerable even if one gets hold of VMware’s patched variant.
Tip: LockBit 3.0, the market leader in ransomware
CrowdStrike has five recommendations for system administrators to protect an IT environment. The company advises against using direct access to ESXi hosts. Instead, organizations should use the vSphere Client to manage ESXi hosts through a vCenter Server. If it does need to connect directly to an ESXi host, it should use a hardened jump server with multi-factor authentication (MFA). This method of connection ensures IT environment security through segmentation.
Next, CrowdStrike argues that organizations should not expose vCenter to the Internet. Ultimately, apart from patching, that is the most obvious solution that companies implement. However, this often turns out not to be enough, as we saw recently when we asked experts about the impact of Log4Shell exploitation.
TIP: Log4Shell in 2023: big impact still reverberates
Another well-known solution is the deployment of backups. VM disk images and snapshots should be maintained daily. CrowdStrike does not mention it explicitly, but it is definitely important in this case that this has already been tested before an attack takes place. What the company does say is that organizations should ensure that their own backup is not encrypted.
Finally, CrowdStrike touts physically shutting down storage from the ESXi host if the criminals have changed log-in details. Should that not be possible, there is still a viable solution for almost all devices: shutting down the power supply.