Cybersecurity firm CrowdStrike has raised concerns about increasing targeted attacks against VMware ESXi servers, which it says are on the rise and warned may continue. The revelations came in a blog post revealing a new ransomware-as-a-service (RaaS) group called MichaelKors had been targeting servers running VMware ESXi bare-metal hypervisors since April. CrowdStrike said other RaaS platforms, such as Nevada ransomware, may be capable of targeting ESXi environments while it noted that adversaries such as Nemesis Kitten and Prophet Spider used the Log4Shell vulnerability to compromise VMware Horizon instances.
ESXiArgs, a large-scale global ransomware campaign, targeted thousands of vulnerable ESXi servers by exploiting two outdated vulnerabilities in February. CrowdStrike and Mandiant reported observing separate ESXi attacks in which threat actors deployed malware to maintain persistence on victim machines.
CrowdStrike said one of the major issues with ESXi is the software not supporting third-party antivirus products and that attackers are targeting known vulnerabilities in the hypervisor software. Enterprises are increasingly adopting virtualization technology and migrating to the cloud, creating a growing number of targets.
To gain access to VMs, the cybersecurity firm said credential theft is the most straightforward attack vector against an ESXi hypervisor. If the attacker reaches the SSH console, arbitrary code can be executed directly, even on the most recent ESXi versions. Disabling SSH access was one recommendation made in February when ESXiArgs attacks escalated.
Another attack path was observed by CrowdStrike, with adversaries gaining initial access to the vCenter server management software using either valid accounts or exploiting remote code execution vulnerabilities. While VMware addressed the flaws, CrowdStrike said those services should not be exposed to the internet over HTTP or SSH to mitigate the risk.
CrowdStrike said virtual infrastructure products such as Horizon and ESXi hypervisors are popular targets because of how crucial such software is to an organisation’s IT infrastructure virtualization and management system. Other recommendations to protect against increasing attacks included avoiding direct access to ESXi hosts and maintaining sufficient backups.
SentinelOne also raised concerns about cybercriminals using Babuk builder to develop ESXi and Linux ransomware, with the vendor observing 10 ransomware families have taken advantage of Babuk’s leaked source code. Babuk was one of the first ransomware groups to target ESXi, according to SentinelOne.
It appears that cybercriminals are taking a sustained interest in exploiting vulnerabilities in VMware ESXi hypervisors. Experts suggest that taking action to counter such attacks and the weaknesses in the hypervisor software should be considered a high priority in IT security planning.