If you think virtualization can save you from cyber threats? Think again! Cybercriminals can Exploit Vulnerabilities in VMware ESXi. The ESXi ransomware was first seen earlier in October via a Reddit post. It is wise to go for virtual servers as they have no sensitive data. which means minimal damage in case of infection.
Chances of the massive breakdown of your resources would be minimized even if a user accidentally activated a Trojan on a virtual machine. As it would be relatively easier to create a new virtual machine using the image files to undo the effects of the malicious attack.
According to Kaspersky researchers, RansomExx ransomware the vulnerabilities present in VMware ESXi specifically target virtual hard drives.
ZDNet reported earlier how the Darkside group abusing VMWare ESXi exploits to encrypt virtual hard disks. Just goes to show how capable hackers are of encrypting ESXi.
What is the VMware ESXi Vulnerabilities?
You are able to connect a number of virtual machines to save information on a single server using the Open Service Layer Protocol (SLP) on the VMware ESXi hypervisor. It helps you discover network devices without pre-configuration.
Talking about the vulnerabilities, it has two
How cybercriminals are exploiting these vulnerabilities?
The cybercriminals exploit the vulnerabilities to generate malicious SLP requests and compromise data rescue. To achieve this they have to first enter the network and reside there which is the easy part as there are no security resources present on the virtual machine.
The bad actors use vulnerabilities like the Zerologon vulnerability present inside the Netlogon remote protocol to consolidate their presence in the system. This tricks the user to start the malicious code on the virtual machine, unintentionally giving control of the Active Directory controller to the hackers. They encrypt the memory and send you the ransom note.
There are a number of other options other than Zerologon that cybercriminals have. But it is the only most dangerous option and is literally impossible to detect unless you have specific tools.
How to stay clear of Esxi?
- Update VMware ESXi.
- If you cannot update, follow the workaround suggested by Mware.
- Update Microsoft Netlogon to fix its vulnerability.
- Protect all devices on the network, including virtual machines.
- Take advantage of Managed Detection and Response solution, which detects even the most complex multiphase attacks that are not detected by conventional antivirus solutions.