The Linux and VMware ESXi systems are the latest targets of a new ransomware-as-a-service (RaaS) operation known as MichaelKors that emerged in April 2023. Cybersecurity firm CrowdStrike has reported that the ESXi is an increasingly popular target for cybercriminals, even though it does not support third-party agents or anti-virus software. Using the ESXi hypervisor is an attractive technique for hackers to scale ransomware campaigns.
Known as hypervisor jackpotting, several ransomware groups, including Royal, are adopting this approach. Additionally, ten different ransomware families, including Conti and REvil, code in September 2021 used leaked Babuk source to develop lockers for VMware ESXi hypervisors, according to an analysis by SentinelOne. Other top cybercriminal groups now targeting ESXi include ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.
One of the reasons that VMware ESXi hypervisors are becoming a popular target for cybercriminals is that the software runs directly on a physical server, providing potential attackers the ability to run malicious ELF binaries and gain unrestricted access over the machine’s underlying resources. Attackers can access ESXi hypervisors using compromised credentials which promotes the chance of obtaining elevated privileges. They can laterally move through the network or exploit the vulnerabilities to escape the controlled environment.
CrowdStrike has pointed out that “more and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation of ESXi interfaces, and [in-the-wild] vulnerabilities for ESXi creates a target-rich environment.”
Due to the threat, recommendations encouraged organizations to avoid direct ESXi host access, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews to mitigate the impact of hypervisor jackpotting.
It’s worth noting that ransomware actors are not the only outfits to strike virtual infrastructure. In March 2023, Mandiant, a Google-owned cybersecurity company, attributed a Chinese nation-state group to using novel backdoors known as VIRTUALPITA and VIRTUALPIE in attacks aimed at VMware ESXi servers.
CrowdStrike has emphasized that “adversaries will likely continue to target VMware-based virtualization infrastructure,” posing a significant concern due to more organizations transferring workloads and infrastructure into cloud environments, and it’s all done through VMWare Hypervisor environments.
