Security
Headlines
HeadlinesLatestCVEs

Headline

'MichaelKors' Showcases Ransomware's Fashionable VMware ESXi Hypervisor Trend

Wide use and lack of support for malware detection technologies has made VMware’s virtualization technology a prime target for cyberattackers.

DARKReading
#vulnerability#mac#windows#linux#intel#vmware

The widespread use of VMware’s ESXi hypervisor and the fact that it does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators.

The latest manifestation of that fashion trend is “MichaelKors,” a new ransomware-as-a-service (RaaS) program that researchers at CrowdStrike found attackers recently using to target ESXi/Linux systems. MichaelKors is one of several paid services CrowdStrike is tracking — including Alpha Spider, Bitwise Spider, and Sprite Spider — that currently provide attackers with malicious binaries for locking up ESXi systems.

A Slew of ESXi Ransomware

Earlier this month, SentinelOne reported a similar trend involving ransomware variants based on leaked source code of the Babuk ransomware strain from 2021. Between the second half of 2022 and so far in 2023, SentinelOne has observed at least 10 ransomware families based on Babuk source code targeting the ESXi hypervisor. Among those using the Babuk ESXi variants were small groups and large ransomware operators such as Conti and REvil. SentinelOne found the attackers often taking advantage of ESXi’s native tools and commands to kill guest machines and encrypt hypervisor files.

Other vendors have reported seeing multiple other major ransomware groups, including the operators of Royal ransomware, Luna, and Black Basta, all pivoting from Windows to ESXi/Linux over the past year.

A couple of factors are driving attacker interest in hypervisors and VMware’s ESXi technology in particular.

Hypervisor Jackpotting

One of them is the fact that many organizations use ESXi to manage their virtual infrastructure. VMware environments often host hundreds of VMs running business critical applications. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, thereby giving them an opportunity to considerably scale up their attacks. In a ransomware scenario, an attacker can encrypt multiple virtual machines and increase their likelihood of collecting a ransom from victims.

Such “hypervisor jackpotting” is a tactic that attackers use in so-called big game hunting campaigns targeting large and high-profile enterprise organizations. “In hypervisor jackpotting, threat actors deploy Linux versions of ransomware tools specifically designed to affect VMware’s ESXi vSphere hypervisor,” a CrowdStrike spokeswoman says. “By deploying ransomware on ESXi hosts, adversaries quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand.”

A Lack of Support for Malware Detection

The second reason attackers are increasingly targeting ESXi environments is because they know the hypervisor doesn’t support any native malware detection capabilities, according to CrowdStrike. As a hypervisor, ESXi is designed purely to provide virtualization services and services for managing virtual machines. VMware itself has described the hypervisor as not requiring any antivirus software and has not provided any support for third-party malware detection agents either. “ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required,” CrowdStrike said in its blog post this week. This fact, combined with the popularity of ESXi has made the hypervisor a highly attractive target for modern adversaries, the security vendor said.

Others have highlighted the same problem. Recorded Future, which counted a threefold increase in ransomware targeting ESxi servers between 2021 and 2022 (from 434 to 1,188) recently noted the immaturity of antivirus and malware detection technologies for ESXi — and the difficulty in implementing them — as lowering the barrier for threat actors. “Defensive practices are difficult to implement due to the complex nature of hypervisors,” Recorded Future said.

ESXi vulnerabilities are another problem. A case in point is a global ransomware attack on ESXi servers earlier this year that exploited two vulnerabilities in the hypervisor one from 2021 (CVE-2021-21974) and the other from 2020 (CVE-2020-3992) to drop a novel ransomware strain called ESXiArgs.

“Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse,” the CrowdStrike spokeswoman says. “CrowdStrike Intelligence has also observed hypervisor jackpotting becoming a dominant trend.”

The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable and without remedy at the moment, the CrowdStrike spokeswoman notes. “More and more threat actors are recognizing that the lack of security technology and monitoring, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment” for ransomware attackers.

Related news

Keep Tier-One Applications Out of Virtual Environments

Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.

CVE-2023-33953: Security Bulletins

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...

New ESXiArgs encryption routine outmaneuvers recovery methods

Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.

CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

The malware has affected thousands of VMware ESXi hypervisors in the last few days.

VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

Two year old vulnerability used in ransomware attack against VMware ESXi

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.

New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an

CVE-2021-21974: VMSA-2021-0002

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

CVE-2020-3992: VMSA-2020-0023.3

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

DARKReading: Latest News

Cross-Site Scripting Is 2024's Most Dangerous Software Weakness