A new ransomware-as-a-service (Raas) operation called Michael Kors has become the latest file-encrypting malware to attack Linux and VMware ESXi systems starting in April 2023.
Cyber security firm CrowdStrike said in a report that the development indicates that cyber criminals are increasingly eyeing ESXi.
“This trend is particularly notable given that ESXi, by design, does not support third-party agents or AV software,” the company said.
“In fact, VMware even says it is not necessary. This, combined with the popularity of ESXi as a popular and widespread virtualization and management system, makes the hypervisor a very attractive target for modern adversaries.” makes.
Choosing a ransomware-ridden VMware ESXi hypervisor for such companies to scale is a technique known as hypervisor jackpotting. Over the years, the approach has been adopted by various ransomware groups, including Royal.
Additionally, a Sentinel One analysis last week revealed that 10 different ransomware families, including Conti and Ravil, used the leaked Babuk source code to develop Locker for the VMware ESXi hypervisor in September 2021.
Other notable cybercrime teams that have updated their arsenal to target ESXi include ALPHV (Blackcat), BlackBasta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.
One reason why the VMware ESXi hypervisor becomes an attractive target is that the software runs directly on a physical server, giving a potential attacker the ability to run malicious ELF binaries and gain unrestricted access to the machine’s underlying resources.
Attackers seeking to breach the ESXi hypervisor can do so by using compromised credentials, then gain elevated privileges and proceed through the network or through vulnerabilities to further their objectives. Can escape the limitations of the environment.
In a knowledge base article last updated in September 2020, VMware says that “antivirus software is not required with the vSphere Hypervisor and the use of such software is not supported.”
“More and more threat actors are recognizing that lack of security tools, lack of proper network segmentation of ESXi interfaces, and vulnerabilities [in-the-wild] They create a target-rich environment for ESXi,” CrowdStrike said.
Ransomware hackers are one of the only teams attacking virtual infrastructure. In March 2023, Google-owned Mandiant blamed a Chinese state group for using novel backdoors called VIRTUALPITA and VIRTUALPIE in attacks targeting VMware ESXi servers.
To reduce the impact of hypervisor jackpotting, organizations are advised to prevent direct access to ESXi hosts, enable multi-factor authentication, regularly back up ESXi datastore volumes, apply security updates, and conduct security posture reviews. Is.
“Attackers are likely to continue to target virtualization infrastructure based on VMware. This creates a major concern as more organizations continue to move workloads and infrastructure to cloud environments through VMware hypervisor environments,” CrowdStrike he said.