A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023.
Developments show cybercriminals are increasingly targeting ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News.
“This trend is especially important given the fact that ESXi, by design, does not support third-party agents or AV software,” the company said.
“In fact, VMware claims that it’s not needed. This, combined with ESXi’s popularity as a widespread and popular virtualization and management system, makes hypervisors a very attractive target for modern adversaries.”
That targeting the VMware ESXi hypervisor with ransomware to scale such campaigns is a technique known as hypervisor jackpot. Over the years, the approach has been adopted by several ransomware groups, including Royal.
What’s more, analysis from SentinelOne last week revealed that 10 different ransomware families, including Conti and REvil, had used the Babuk source code that leaked in September 2021 to develop lockers for the VMware ESXi hypervisor.
Other notable e-crime outfits that have updated their arsenal to target ESXi include ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, NevadaPlay, Fortress, and Rorschach.
One of the reasons why the VMware ESXi hypervisor is such an attractive target is that the software runs directly on the physical server, giving potential attackers the ability to run malicious ELF binaries and gain unrestricted access to the underlying machine’s resources.
An attacker wishing to penetrate the ESXi hypervisor could do so by using compromised credentials, followed by gaining elevated privileges and moving laterally through the network or outside the confines of the environment through known vulnerabilities to advance their motives.
VMware, in knowledge base articles last updated in September 2020, noting that “antivirus software is not required with vSphere Hypervisor and use of such software is not supported.”
“More and more threat actors are realizing that the lack of security tools, lack of adequate ESXi interface network segmentation, and (in-the-wild) vulnerabilities for ESXi create a target-rich environment,” said CrowdStrike.
Ransomware actors are the only outfits that attack virtual infrastructure. In March 2023, Google-owned Mandiant linked the Chinese nation-state group to the use of new backdoors dubbed VIRTUALPITA and VIRTUALPIE in attacks targeting VMware ESXi servers.
To mitigate the impact of hypervisor jackpotting, organizations are advised to avoid direct access to ESXi hosts, enable two-factor authentication, perform periodic backups of ESXi data storage volumes, apply security updates, and perform security posture reviews.
“Adversaries will likely continue to target VMware-based virtualization infrastructure,” said CrowdStrike. “This is a major concern as more organizations continue to transfer workloads and infrastructure to the cloud environment – all through the VMWare Hypervisor environment.”