Cyberattacks are continuing to target VMware ESXi vSphere hypervisors, with cybersecurity firm CrowdStrike reporting today that ransomware-as-a-service (RaaS) platforms are increasingly being leveraged to deploy Linux versions of ransomware tools.
According to the cybersecurity giant, these tools are specifically designed to affect VMware’s ESXi vSphere hypervisor. The company’s research into these kind of attacks date back to February 2021, when CrowdStrike began what is now a three-part blog series looking into this trend, which it says is continuing so far in 2023.
The company says RaaS platforms such as Alphv, Lockbit and Defray are being leveraged in attacks against ESXi, which CrowdStrike says does not support third-party agents or antivirus software.
“This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries,” write CrowdStrike researchers in a new blog.
These attacks on ESXi servers have even led to the U.S. Cybersecurity and Infrastructure Agency issuing several warnings and releasing in February a recovery guide and script designed to help organizations recover from the ESXiArgs ransomware attacks.
CrowdStrike cites several vulnerabilities that have been exploited in the wild in the last few years, including:
- CVE-2020-3992 – an ESXi OpenSLP remote code execution vulnerability resulting form a user-after-free issue.
- CVE-2021-21974 – an ESXi OpenSLP heap-overflow vulnerability that could result in remote code execution.
- CVE-2019-5544 – an ESXi OpenSLP heap overwrite vulnerability.
- CVE-2021-44228 (Log4Shell) – a remote code execution vulnerability in Log4J that has been used to compromise VMware Horizon instances
- CVE-2016-7463, CVE-2017-4940 and CVE-2020-3955 – cross site scripting vulnerabilities used for privilege escalation.
- CVE-2021-22043 – privilege escalation vulnerability
New threats against VMware ESXi security
Due to VMWare’s prominence in IT infrastructure, ESXi servers remain an attractive target, with an increasing amount of threat actors leveraging these vulnerabilities in their attacks. Just recently, CrowdStrike has identified a new RaaS program that provides affiliates with ransomware binaries targeting Windows and ESXi/Linux systems, researchers write.
In addition, CrowdStrike and other researchers have identified many other new hacking groups and attack methods targeting ESXI over the past few years, as targeting virtual infrastructure gives attacks many advantages, including multiplying the impact of a single compromise or subverting detection and prevention mechanisms, as targeted components are often not sufficiently protected by security solutions.
“Because VMware products have been subject to critical vulnerabilities in the past, adversaries will likely continue to target any potential weaknesses, as successful compromises typically provide access to high-value resources,” CrowdStrike researchers write.
CrowdStrike says organizations should be aware of two main attack vectors when it comes to VMware ESXi servers: credential theft and virtual machine access.
Researchers call credential theft the “most straightforward attack vector against an ESXi hypervisor.” Following credential theft, an adversary can simply authenticate against the server to advance the attack based on their goal. With sufficient privileges to enable and access the SSH console, attackers can execute arbitrary code directly, even on the most recent ESXi versions.
If a VM can be accessed directly, CrowdStrike says poor segregation from the rest of the internal network can lead the VM facilitating lateral movement, which gives attackers more flexibility to choose a vulnerable system. A properly segregated VM, however, will require an attacker to directly target the ESXi hypervisor to run code at the hypervisor level and perform a VM escape exploit. However, this is a complicated process and most adversaries don’t have the capabilities to do so, researchers say.
How to secure VMware ESXi
To protect VMware hypervisors, CrowdStrike urges organizations to:
- Avoid direct access to ESXi hosts. It is recommended to use the vSphere Client to administer ESXi hosts managed by a vCenter Server. Direct access to managed hosts using the VMware Host Client or changing hosts from the Direct Console User Interface (DCUI) should be avoided.
- Use a hardened jump server with multifactor authentication (MFA). If direct access to an ESXi host is necessary, it should be limited to a jump server with MFA enabled. The jump server should be dedicated to administrative or privileged purposes, have full auditing capabilities, and restrict SSH, Web UI, and API access to ESXi or vCenter only from the jump server. SSH access should be disabled, and any attempt to enable it should trigger alerts and be investigated urgently.
- Not expose vCenter to the internet over SSH or HTTP. Adversaries have been observed gaining access to vCenter by exploiting vulnerabilities or using valid accounts. To mitigate this risk, vCenter services should not be exposed to the internet.
- Regularly back up ESXi datastore volumes. It is essential to back up virtual machine disk images and snapshots stored in ESXi datastores on a daily basis, or more frequently if possible. Backups should be stored offsite to enable system restoration during a ransomware event, while ensuring the backups themselves are not compromised.
- Consider physical disconnection of storage or power to ESXi host during encryption. In situations where encryption is suspected or known to be in progress and access to kill malicious processes is not possible, physically disconnecting the storage from the ESXi host or cutting power to the host can be an option. This can prevent ransomware from continuing to encrypt virtual machine disk files (VMDKs). Shutting down guest VMs will not help as the encryption occurs on the hypervisor itself. However, it’s important to note that physical disconnection may cause potential issues or data loss if data has not been written to backend storage.
Read VMware’s ESXi security recommendations to learn more.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!