MichaelKors Showcases Ransomwares Fashionable VMware ESXi Hypervisor Trend

  /     /     /  
Publicated : 23/11/2024   Category : security


MichaelKors Showcases Ransomwares Fashionable VMware ESXi Hypervisor Trend


Wide use and lack of support for malware detection technologies has made VMwares virtualization technology a prime target for cyberattackers.



The widespread use of VMwares ESXi hypervisor and the fact that it does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators.
The latest manifestation of that fashion trend is MichaelKors, a new ransomware-as-a-service (RaaS) program that researchers at CrowdStrike found attackers recently using to target ESXi/Linux systems. MichaelKors is one of several paid services CrowdStrike is tracking — including Alpha Spider, Bitwise Spider, and Sprite Spider — that currently provide attackers with malicious binaries for locking up ESXi systems.
Earlier this month, SentinelOne reported a similar trend involving
ransomware variants based on leaked source code of the Babuk ransomware
strain from 2021. Between the second half of 2022 and so far in 2023, SentinelOne has observed at least 10 ransomware families based on
Babuk source code
targeting the ESXi hypervisor. Among those using the Babuk ESXi variants were small groups and large ransomware operators such as Conti and REvil. SentinelOne found the attackers often taking advantage of ESXis native tools and commands to kill guest machines and encrypt hypervisor files.
Other vendors have reported seeing multiple other major ransomware groups, including the operators of
Royal ransomware
,
Luna, and Black Basta
, all pivoting from Windows to ESXi/Linux over the past year.
A couple of factors are driving attacker interest in hypervisors and VMwares ESXi technology in particular.
One of them is the fact that many organizations use ESXi to manage their virtual infrastructure. VMware environments often host hundreds of VMs running business critical applications. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, thereby giving them an opportunity to considerably scale up their attacks. In a ransomware scenario, an attacker can encrypt multiple virtual machines and increase their likelihood of collecting a ransom from victims.
Such hypervisor jackpotting is a tactic that attackers use in so-called big game hunting campaigns targeting large and high-profile enterprise organizations. In hypervisor jackpotting, threat actors deploy Linux versions of ransomware tools specifically designed to affect VMware’s ESXi vSphere hypervisor, a CrowdStrike spokeswoman says. By deploying ransomware on ESXi hosts, adversaries quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand.
The second reason attackers are increasingly targeting ESXi environments is because they know the hypervisor doesnt support any native malware detection capabilities,
according to CrowdStrike
. As a hypervisor, ESXi is designed purely to provide virtualization services and services for managing virtual machines. VMware itself has described the hypervisor as not requiring any antivirus software and has not provided any support for third-party malware detection agents either. ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required, CrowdStrike said in its blog post this week. This fact, combined with the popularity of ESXi has made the hypervisor a highly attractive target for modern adversaries, the security vendor said.
Others have highlighted the same problem. Recorded Future, which counted a
threefold increase in ransomware targeting ESxi servers
between 2021 and 2022 (from 434 to 1,188) recently noted the immaturity of antivirus and malware detection technologies for ESXi — and the difficulty in implementing them — as lowering the barrier for threat actors. Defensive practices are difficult to implement due to the complex nature of hypervisors, Recorded Future said.
ESXi vulnerabilities are another problem. A case in point is a global ransomware attack on ESXi servers earlier this year that exploited two vulnerabilities in the hypervisor one from 2021 (
CVE-2021-21974
) and the other from 2020 (
CVE-2020-3992
) to drop a
novel ransomware strain called ESXiArgs
.
Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse, the CrowdStrike spokeswoman says. CrowdStrike Intelligence has also observed hypervisor jackpotting becoming a dominant trend.
The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable and without remedy at the moment, the CrowdStrike spokeswoman notes. More and more threat actors are recognizing that the lack of security technology and monitoring, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment for ransomware attackers.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MichaelKors Showcases Ransomwares Fashionable VMware ESXi Hypervisor Trend