CrowdStrike finds new ransomware-as-a-service group targeting VMware ESXi servers

CrowdStrike finds new ransomware-as-a-service group targeting VMware ESXi servers (5 tips to fight back)
Nancy Profile picture
Nancy Liu | Editor
May 15, 2023 11:00 AM
Share this article:

Hacker NewsSave Article:
CrowdStrike finds new ransomware group targeting VMWare ESXi servers
CrowStrike discovered a new ransomware-as-a-service (RaaS) group — MichaelKors (formerly Qilin) — targeting VMware ESXi servers since last month.

The VMware ESXi is a hypervisor that runs and manages virtual machines (VMs) directly on a dedicated host’s hardware. The products associated with the ESXi platform include VMware vSphere Hypervisor, vCenter, ONE Access or Identity Manager and Horizon.

CrowdStrike noted VMware virtual infrastructure products are highly attractive targets for attackers, which poses a major concern as the company’s product line is often a crucial component of an organization’s IT infrastructure virtualization and management system and many organizations are transferring workloads and infrastructure into cloud environments through VMware Hypervisor environments.

Since 2020, CrowdStrike has tracked threat actors and RaaS platforms including Big Game Hunting (BGH), Nevada, Alphv, Lockbit and Defray targeting ESXi, while a number of adversaries including NEMESIS KITTEN, SILENT CHOLLIMA and eCrime actors like PROPHET SPIDER have used Log4Shell (CVE-2021-44228) to compromise VMware Horizon instances. Last year, Mandiant researchers documented a malware ecosystem primarily targeting VMware ESXi and vCenter servers, deployed as a malicious remote administration tool.

The most common attack vector against VMware ESXi servers is user credential theft, CrowdStrike noted. Its intelligence team also found attackers usually acquire entry into a target network through different methods and subsequently try to obtain ESXi credentials to accomplish their ultimate goal, which may involve activities like deploying ransomware in certain incidents, according to a CrowdStrike blog post.

Register for SDxCentral's Daily Newsletter
Enter your corporate email address.

First Name
First Name
Last Name
Last Name
Email Address
Email Address

* I agree to SDxCentral’s Terms of Use, Privacy Policy, Cookie Notice, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

SUBSCRIBE NOW
CrowdStrike’s advice on VMware ESXi threat mitigation
Beyond VMware’s general ESXi security recommendations, CrowdStrike provided five more advances to protect organizations’ clusters based on its discoveries:

Avoid direct access to ESXi hosts and use the vSphere Client to administer ESXi hosts that are managed by a vCenter Server instead.
If necessary, direct access to ESXi should be restricted solely to a hardened jump server intended for administrative or privileged tasks, equipped with comprehensive auditing features and enabled multi-factor authentication (MFA).
Ensure VMware vCenter is not exposed to the internet over a secure shell (SSH) or hypertext transfer protocol (HTTP).
Regularly back up ESXi datastore volumes, particularly virtual machine disk images and snapshots, ensuring that they are backed up daily (or even more frequently if feasible), and store them with an offsite storage provider.
Threat actors may change the root password after gaining access, which can lock administrators out of the system. In situations where encryption is suspected or ongoing and it’s not possible to terminate malicious processes, one option is to physically disconnect storage or cut power to the ESXi host to halt ransomware encryption, although this may result in potential data loss.