{"id":41830,"date":"2021-03-01T14:29:10","date_gmt":"2021-03-01T14:29:10","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=7c147480a83d829d243618959b10ce7d"},"modified":"2021-03-01T14:29:10","modified_gmt":"2021-03-01T14:29:10","slug":"ransomware-operators-are-exploiting-vmware-esxi-flaws","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/ransomware-operators-are-exploiting-vmware-esxi-flaws\/","title":{"rendered":"Ransomware operators are exploiting VMware ESXi flaws"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
1 Mar, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Two ransomware strains have retooled to exploit vulnerabilities in the\u00a0VMware<\/a>\u00a0ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).<\/p>\n

The company patched\u00a0three critical flaws across its virtualisation products<\/a>\u00a0last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.<\/p>\n

<\/p>\n

\nResearchers with CrowdStrike<\/a>\u00a0have since learned that two groups, known as ‘Carbon Spider’ and ‘Sprite Spider’, have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale\u00a0ransomware campaigns<\/a>\u00a0also known as big game hunting (BGH).<\/p>\n

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a \u201cvirtual jackpot\u201d for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.<\/p>\n

This follows news that cyber criminals last week were\u00a0actively scanning for vulnerable businesses with unpatched VMware vCenter servers<\/a>, only days after VMware issued fixes for the three flaws.<\/p>\n

\u201cBy deploying ransomware on ESXi, Sprite Spider and Carbon Spider\u00a0likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,\u201d said CrowdStrike researchers Eric Loui and Sergei Frankoff.\u00a0<\/p>\n

\u201cEncrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.<\/p>\n

\u201cIf these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.\u201d<\/p>\n

Sprite Spider\u00a0has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files.\u00a0<\/p>\n

Carbon Spider, meanwhile, has traditionally targeted companies operating\u00a0point-of-sale<\/a>\u00a0(POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.<\/p>\n

\n
\n
\n
Featured Related Content<\/div>\n
Improving cyber security for remote working<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices.\u00a0<\/p>\n

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host\u2019s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

1 Mar, 2021 <\/p>\n

Two ransomware strains have retooled to exploit vulnerabilities in the\u00a0VMware\u00a0ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).
\nThe company patched\u00a0three crit…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41830","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41830"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41830\/revisions"}],"predecessor-version":[{"id":41831,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41830\/revisions\/41831"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}