Forescout’s Vedere Labs, revealed its latest findings on the recent ransomware VMware ESXi virtualization servers. In its new threat briefing report, Vedere Labs also analyzes two payloads used in these attacks: variants of the Royal and Clop ransomware, while also presenting the tactics, techniques and procedures (TTPs) used by attackers in this campaign, discuss mitigation recommendations and list indicators of compromise (IOCs) that can be used for detection or threat hunting.
ESXi servers have grown in popularity of late. As of February 24, 2023 there are close to 85,000 ESXi servers exposed on the internet, according to the Shodan search engine. Forescout’s Device Cloud allowed researchers at Vedere Labs to have deeper insight into organizations deploying ESXi. There are more than 17,000 ESXi servers tracked on the Device Cloud. On February 3, CERT-FR issued a warning about an attack campaign targeting VMware ESXi hypervisors vulnerable to CVE-2021-21974 with the goal of deploying ransomware.
Commenting on the latest threat report, XX from Forescout said, “As cyber threats continue to evolve and proliferate, it’s crucial for organizations to remain vigilant and proactive in their approach to cybersecurity. Forescout’s latest threat report highlights the growing threat of ransomware targeting VMware ESXi virtualization servers, which can have a devastating impact on organizations’ operations and finances. These attacks are becoming more sophisticated and are leveraging multiple attack vectors, including supply chain attacks and social engineering tactics.”
VMware ESXi is an enterprise-class hypervisor developed by VMware to deploy and serve virtual computers. It allows the same hardware to be used for multiple virtual machines (VMs), which helps organizations save on hardware and easily scale infrastructure.
Since 2022, ESXi virtualization servers have been one of the main targets of ransomware groups, with the number of attacks targeting these servers tripling between 2021 and 2022. The increasing focus on new types of targets, such as ESXi, may be seen as a response to a decline in successful ransomware attacks or total ransom payouts in 2022. Ransomware groups are ever-changing and willing to adapt to maintain or increase profitability.
Ransomware is just a part of the threat landscape for virtualized infrastructure. Beyond what is discussed in the report, there are known attacks leveraging a custom Python backdoor on ESXi servers, APTs targeting Log4shell vulnerabilities on VMware Horizon, attack tools developed specifically for ESXi and even vulnerabilities allowing attackers to break out of virtual machines and execute code on the host operating system.
The Forescout Platform provides visibility, compliance, segmentation and threat detection against ransomware on ESXi servers.
