Headline
Keep Tier-One Applications Out of Virtual Environments
Crafty bad actors can infect all of an organization’s virtual machines at once, rendering tier-one applications useless.
Morey Haber, Chief Security Officer, BeyondTrust
September 25, 2024
5 Min Read
Source: Panther Media via Alamy Stock Photo
COMMENTARY
For at least the past 20 years, virtual machines and enterprise-ready hypervisors were marketed, sold, and adopted as the future of server-based computing. Dedicated power-hungry servers sitting in racks on a raised floor were replaced by systems architected to host multiple virtual servers simultaneously and to optimize resources based on load. The time of idle RAM, underutilized networks, and free hard disk storage was transformed by load-balancing technology, shared resources, and CPU prioritization to minimize costs, energy, and footprint. The goals were achieved, and the technology worked.
When organizations began shifting their tier-one mission-critical servers to virtual machines, the need to provide redundancy and high availability to meet uptime service-level agreements became paramount. Virtual machine hypervisors introduced redundancy technology, mirroring, real-time backups, cold spares, and myriad other solutions to mitigate the risks of an outage both in hardware and software. This technology even included mitigations for the hypervisor itself, just in case it became fully unavailable.
However, what happens if all of your hypervisors become unavailable — in essence, if all of your virtual data centers went offline, including all redundancy? This risk was not a consideration in the past, based on the maturity of virtualization, but today it poses a real threat and is why tier-one applications should no longer be virtualized. Why? Read on.
Hypervisor Attacks on the Rise
In the past few years, hypervisors have been targeted in high-profile malware and ransomware attacks. Instead of just attacking the data on a server, or a server or workstation operating system, threat actors have become brazen in attacking hypervisors and encrypting all the virtual machines hosted by the system. And if the attack vector is crafty enough, it can infect all virtual machines and hypervisors, regardless of their geolocation and backup status, simultaneously. This essentially renders all technology hosted as a virtual machine — including your tier-one applications — useless and unable to complete their mission.
So how did this change come about? Vulnerabilities, exploits, poor identity security, malware, social engineering, and, of course, ransomware. To understand this risk, let us look at some exploits that affected VMware, a leading enterprise virtualization technology, and some of its key components.
According to CVE Details, since Jan. 1, 2020, there have been 334 reported vulnerabilities for all VMware solutions. Of those, 19% were critical and, if exploited, could lead to a compromise of the affected VMware solution.
However, at least two are especially important to this discussion, despite their age: CVE-2021-21974 and CVE-2020-3992. Each could lead to a full hypervisor outage if exploited. The obvious answer from many security professionals is to patch. However, when patching these vulnerabilities, the entire hypervisor generally needs to be taken offline and all virtual machines paused or stopped to complete the upgrade. If the environment is large, potentially dozens or even hundreds of virtual machines may need to come offline. That type of outage is typically lengthy and unacceptable for tier-one applications.
Migrate to a More Fitting Solution
Most organizations will avoid patching due to the downtime alone, instead using other mitigations to avoid exploitation. This, however, does not solve the problem. If the hypervisor or any of its components are exposed to the Internet, these vulnerabilities are ticking time bombs. Not patching critical vulnerabilities will lead to exploitation at some point. The rise in hypervisor-based vulnerabilities is increasing and will continue to escalate, as shown by CVE Details data.
Therefore, organizations have four potential solutions:
Continue to include tier-one applications as virtual machines but ensure maintenance is up to date, accept downtime, and continue running as originally designed.
Do not include tier-one applications in virtual environments. Deploy them as physical hardware and plan to patch them regularly as physical implementations to remediate the risks.
Stop hosting tier-one applications in virtual environments and using dedicated hardware on-premises altogether. Move them to the cloud and let the provider maintain the application and hypervisor, as well as manage back-end risks like upgrades, for you.
Modernize your ecosystem and migrate the tier-one application to a software-as-a-service (SaaS) solution.
Choosing your path requires some analysis and decisions before taking down your unpatched virtualized tier-one applications. First, categorize all applications by mission criticality. Is it a tier-one application, where any outage is unacceptable to the business, or a tier-two application, where downtime is acceptable (if it’s minimal) for hypervisor patching? Next, which tier-one applications can be cloud-washed — that is, directly moved to a hypervisor in the cloud and maintained by the provider — or replaced by a modern SaaS solution? Most organizations prefer a SaaS solution because it does not need virtual machine maintenance like their on-premises counterparts. That is one of the biggest benefits of SaaS.
Once you have made these decisions, your organization needs to separate tier-one applications from on-premises hypervisors. Like any other technology migration, document all planning, testing, requirements, service-level agreements, and so forth so that you can measure success. In the end, however, the risk mitigation is priceless, since the business no longer has to accept the risk of unpatched hypervisors and the potential for mass exploitation of ransomware.
In my opinion, tier-one applications should not depend on hypervisors to ensure availability. Points of failure for such applications should be minimized. In recent years, attacks against hypervisors have proved that the risks are real and may no longer be acceptable to a business. This is why I believe tier-one applications should no longer be implemented using on-premises virtual machines.
About the Author
Chief Security Officer, BeyondTrust
With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing intelligent identity and access security solutions, as well as BeyondTrust’s own internal information security strategies.
Related news
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
It's not just Internet-accessible hosts that are vulnerable, researchers say.
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB
By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
The malware has affected thousands of VMware ESXi hypervisors in the last few days.
By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.