2022 Saw a Surge in VMware ESXi Attacks: Threat Analysis
Hey folks, let’s chat about something a little bit sinister today – ransomware attacks. We used to think they were a rare thing, but more recently, they’ve been frequently hitting the headlines, and it’s hitting close to home here in the San Francisco Bay Area. Today, we’re focusing particularly on the ESXiArgs ransomware attack that started doing its dirty business on VMware ESXi hypervisors servers beginning in February 2023.
Our friends at a threat intelligence company, Recorded Future, have the unfortunate job of keeping tabs on nasty activities like this. They’ve been monitoring ESXi-focused ransomware since as far back as 2020. It seems like these virtual machine tools are increasingly under attack. Why, you ask? Well, it seems that as organizations keep virtualizing their critical infrastructure and business systems, the appeal to sinister actors goes up.
Specifically, VMware’s hypervisors are like a juicy piece of steak to these bad actors. It’s been said that there’s about a threefold increase in ransomware aim at ESXi in the span of a year, from 2021 to 2022. Isn’t that something?
Here’s a bit of history – back in 2020, ESXi exploits were a non-issue. The bad guys were mostly focusing on Windows-based networks, exploiting any potential vulnerabilities. But fast forward to 2021 and ESXi focused cyber-attacks jumped to an alarming 434. Wait, it gets worse; in 2022, that number skyrocketed to at least 1188.
So, how does the typical ESXi attack happen? It usually starts with gaining initial access by exploiting specific vulnerabilities. Certain cybersecurity organizations suggest the ESXiArgs ransomware campaign was enabled through a flaw discovered in 2021. Once these attackers are in, they’re practically invisible because their activities, unfortunately, often mimic normal system administrator activities.
Once they have privileged access, they usually use it for three purposes: installing sneaky backdoors, deploying ransomware, or using post-exploitation tools like SharpSphere, to perform credential dumping attacks.
At this point, you’re probably thinking, ” okay, this sounds terrifying, what can we do? How can we fight back against such mischief?” Good question! The answer is not simple due to the intricate nature of these hypervisors. We need a well-rounded tactical approach. Some possible measures include enabling multi-factor authentication, creating alerts on account modifications, restricting SSH and Shell access, as well as installing security chips.
Of course, all these measures won’t completely stop such sophisticated attacks from happening. The most effective defense is to stay on top of updates and patches and always follow best security practices. Bottom line, folks, is while ransomware targeting ESXi is undoubtedly a significant threat, with the right precautions and best practices, organizations can continue to deploy the most updated virtualized infrastructure while mitigating possible risks. Stay safe out there!
by Morgan Phisher | HEAL Security