Skip to main content

A comprehensive guide to ransomware distribution in VMware environments


In a virtualized on-premises environment based on VMware, ransomware distribution scenarios can be somewhat unique due to the nature of virtualization technology. However, many of the traditional attack vectors still apply. Here are some ransomware distribution scenarios specific to a VMware-based virtualized environment:



  1. Phishing Attacks Targeting Administrators: Administrators with access to the VMware environment might receive phishing emails. If they fall for these and their credentials are compromised, attackers can gain access to the virtualized environment.
  2. Exploiting Vulnerabilities in VMware Software: If VMware software or the underlying operating system is not kept up-to-date with security patches, vulnerabilities can be exploited by attackers to deliver ransomware into the virtualized environment.
  3. Compromised Remote Management Tools: Tools used for remote management of the virtualized environment, such as vSphere, can be a target. If these tools are compromised, attackers can gain deep access to the virtual infrastructure. Think about RDP machine used by administrators to manage their VMware environment. 
  4. Attacks Through the Management Interface: The management interface of VMware (like vCenter Server) can be targeted. Attackers might attempt to breach these interfaces, especially if they are exposed to external network without adequate security measures.
  5. Misconfigured Virtual Machines (VMs): VMs that are improperly secured can be entry points for ransomware. For example, a VM with unnecessary network exposure or weak authentication can be easily compromised. VM Escape issue can be explored although starting from vSphere version 7 a native sandbox per VM is implemented by design and eliminate the threat to explore VMX thread. 
  6. Insider Threats: An insider with malicious intent and access to the VMware environment could intentionally deploy ransomware within the virtualized infrastructure.
  7. Spread Through Shared Resources: In a virtualized environment, VMs often share resources like network, storage, and sometimes even the same physical hardware. Ransomware can exploit these shared resources to spread across multiple VMs. If attackers gain control over an ESXi host, they can access all the datastores that the host can access, putting every VM on those datastores at risk.
  8. Insecure APIs and Integrations: If VMware is integrated with other systems through APIs, and these integrations are not secured properly, they could be exploited to inject ransomware.
  9. USB Devices and Removable Media: If the VMware environment is configured to allow VMs to access physical USB devices and these devices are compromised, they can be a vector for ransomware infection.


In recent years, there has been a significant increase in cyber attacks focused on VMware environments. The ESXi hypervisor, in particular, has been frequently targeted, with a surge in ransomware attacks aimed at encrypting the data of virtual machines. This worrying trend emphasizes the escalating security challenges faced by virtualized systems.

 

In early 2023, the cybersecurity landscape saw the rise of the EsxiArgs ransomware, a malicious threat preying on unpatched ESXi hypervisors. This attack hit many organizations around the world, showing just how important it is to keep such systems up to date.

 

What is ESXiArgs Ransomware? 

 

  • Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. 
  • The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.
  • ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. 
  • Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. 
  • As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. 
  • The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.

Earlier in 2023, CISA and the FBI jointly issued a Cybersecurity Advisory in response to the escalating threat posed by the EsxiArgs ransomware attacks. Checkout their ESXiArgs Ransomware Virtual Machine Recovery Guidance in this link. 

 

The VMware Security Response Center has published an extensive FAQ to address concerns and provide in-depth information about this type of attack, which is accessible here.

 

Over the past year, while collaborating with my clients, many have expressed interest in understanding the particular security vulnerabilities that ransomware has targeted within VMware environments. To address these inquiries, I have put together a succinct overview of these vulnerabilities:

  • Several remote code execution vulnerabilities have been exploited against VMware ESXi servers and vCenter servers.
  • The critical vulnerabilities that give attackers access to vSphere hosts relate to the Service Location Protocol (SLP) used by vSphere to discover devices on the same network. By sending malicious SLP commands, the attacker can execute remote code on the host.

List of VMware CVE (common vulnerabilities & exposures) related to this issue:

 

 

CVE-2019-5544

A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.

ESXI 6.7, 6.5, 6.0

CVE-2020-3992

Attack vector: A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

ESXI 7.0, 6.7, 6.5; ESXI VCF 4.x, 3.x

CVE-2021-21985

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

vCenter Server 7.0, 6.7, 6.5; VCF 4.x, 3.x

 


VMware has published a list of ESXi-Targeting Ransomwares. The post discusses the rising threat of ransomware attacks specifically targeting ESXi systems. These attacks capitalize on the extensive use of ESXi in enterprise virtual environments, making them a lucrative target for cybercriminals. The article underscores the necessity of implementing strong security measures to protect ESXi instances. It emphasizes the importance of understanding these threats to develop effective defense strategies, highlighting the evolving nature of cybersecurity challenges in virtualized infrastructures.



What an attacker can do once he has access to ESXI ?

 

1.     Uninstall Fault Domain Manager or fdm (HA agent) used to reboot VMs in case of failure.

2.     Shut down all the virtual machines.

3.     Encrypt all virtual machine files

4.     Scan for network storage drives and try to encrypt them.

5.     Write a ransom file to the datastore for the administrator to find.



What is a VM Escape? 

 

Description


VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.

 

Known Attack Vectors


A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.


The Virtual Machine Sandbox


This feature, introduced in vSphere 7, is designed to mitigate "VM Escape" scenarios. In such situations, an attacker might breach a guest system, possibly through a driver or similar methods, and subsequently gain control over the base hypervisor.







Labels:

Comments

Post a Comment

Popular posts from this blog

What You Must Know Before Establishing a Recovery Plan ?

In today's rapidly evolving digital landscape, organizations are increasingly adopting the zero trust model, primarily due to the expanding attack surface that leaves critical systems and data exposed. This shift is also fueled by the heightened sophistication of cyber-attacks, which have become more complex and harder to detect, surpassing traditional security measures. Additionally, the existing operating models within organizations are often inconsistent, typically characterized by distributed and siloed environments.    This fragmentation creates vulnerabilities and makes it challenging to implement uniform security protocols. The zero trust model addresses these challenges by assuming that threats exist both inside and outside the network, necessitating continuous verification of all users and devices. Its adoption represents a proactive stance in the ongoing battle against cyber threats, ensuring a more robust and resilient organizational security posture. The Evolution ...
Post a Comment
Read more

Edge Computing Demystified Book

After a while I'm back and pleased  to share in this post my first book around Edge computing Technologies. Edge computing has been a very hot and interesting topic nowadays for communication service provider and Enterprise so far. Augmented Reality / Virtual Reality, Smart cities, Healthcare, industrial IoT and many others use cases require a change in the way we operate and host application in the cloud.  IA, Big Data and analytics are often used today to understand the behavior of the customer and even the health of services. Real-time and high throughput demand are the characteristic of the new business services. Edge computing technology promises to resolve different challenges and brings compute, storage and bandwidth close to the data source. I tried in ‘the Edge Computing Demystified’ book to explain Edge computing technology referring to different use cases from communication service provider and enterprise industry. I h...
Post a Comment
Read more