Organizations using VMware-based virtualization infrastructure, specifically ESXi and associated products, are confronting a deluge of attacks. More threat actors are coalescing their efforts around the widely used products to initiate ransomware attacks, CrowdStrike Intelligence said Monday.
“More and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation of ESXi interfaces, and in the wild vulnerabilities for ESXi create a target-rich environment,” CrowdStrike researchers wrote in the hypervisor jackpotting update.
These factors allow threat actors to “quickly hamper, disrupt and gain leverage to force organizations to consider paying a ransom or extortion demand to get their virtual machines up and running again,” a CrowdStrike spokesperson said via email.
VMware’s hypervisor infrastructure is found throughout enterprise and government. VMware, which is awaiting regulatory approval on Broadcom’s proposed $61 billion acquisition of the company, commands 71% of the global market for virtualization infrastructure software with more than 500,000 customers and $6 billion in revenue in 2022, according to Gartner.
VMware’s virtualization product line is often a crucial component of an organization’s IT infrastructure and management system, CrowdStrike researchers noted in the report.
VMware products such as ESXi, vCenter, ONE Access and Horizon are used by organizations to host hundreds of virtual machines that run critical applications such as Active Directory and business operations systems.
“Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse,” the CrowdStrike spokesperson said.
Hypervisor jackpotting has become a dominant trend, according to CrowdStrike, because virtual infrastructure allows threat actors to multiply the impact of a single compromise and subvert the insufficient detection and prevention mechanisms in these components.
“The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable and without remedy at the moment,” the spokesperson said.
Threat intelligence researchers at CrowdStrike identified a new ransomware as a service platform, dubbed MichaelKors, that provides affiliates with ransomware binaries targeting ESXi servers running on Windows and Linux.
CrowdStrike has also tracked threat actors using ransomware as a service platforms ALPHV — also known as BlackCat — LockBit and Defray to target ESXi.
Threat actors are actively exploiting several known vulnerabilities in ESXi, according to CrowdStrike. Attack vectors include credential theft and virtual machine access.
Unpatched VMware vulnerabilities pose persistent risk
CrowdStrike is one of many threat intelligence firms warning businesses about the risks lurking in unpatched VMware hypervisor infrastructure. Recorded Future in February said it tracked a surge in ransomware attacks targeting VMware ESXi before a ransomware spree dubbed ESXiArgs compromised thousands of virtual machines.
Recorded Future identified only two ransomware attacks against ESXi in 2020, but observed more than 400 ransomware attacks in 2021 and 1,118 attacks in 2022.
The heightened rate of attacks extends to other active exploits that prompted cyber authorities to issue a joint advisory about unpatched Log4Shell in VMware Horizon and Unified Access Gateway servers in June 2022.
“As the CrowdStrike report mentions, ransomware operators gain initial access by exploiting known vulnerabilities in unpatched software and other security hygiene gaps,” a VMware spokesperson said via email. “Customers should understand that endpoint detection and response and antivirus solutions are not a substitution for core security practices such as patching known vulnerabilities.”
VMware referenced previous reports indicating ransomware operators were targeting products with unpatched vulnerabilities that were addressed and disclosed at least two to three years ago in security advisories.