CrowdStrike warns of rise in VMware ESXi hypervisor attacks

Targeted attacks against VMware ESXi servers are on the rise, a threat that CrowdStrike warned will likely continue.

In February, a large-scale global ransomware campaign dubbed ESXiArgs targeted thousands of vulnerable ESXi servers by exploiting two outdated vulnerabilities tracked as CVE-2020-3992 and CVE-2021-21974. In 2022, CrowdStrike and Mandiant observed separate ESXi attacks where threat actors deployed malware to main persistence on victim machines.

Now, CrowdStrike Intelligence said the problem is only getting worse. In a blog post Monday, the vendor revealed a new ransomware-as-a-service (RaaS) group it named MichaelKors has been actively targeting servers running VMware ESXi bare-metal hypervisors since April.

CrowdStrike warned other RaaS platforms such as Nevada ransomware may also be capable of targeting ESXi environments. Additionally, the vendor assessed that adversaries such as Nemesis Kitten and Prophet Spider leveraged the Log4Shell vulnerability to compromise VMware Horizon instances against a wide range of sectors and geographic regions.

A major issue for ESXi customers, CrowdStrike noted, is that the software doesn't support third-party antivirus products. Additionally, the cybersecurity vendor said threat actors are targeting known vulnerabilities in the hypervisor software.

"More and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation of ESXi interfaces and ITW [in the wild] vulnerabilities for ESXi creates a target rich environment," CrowdStrike wrote in the blog post.

Another problem is the growing number of targets. CrowdStrike emphasized that enterprises are increasingly adopting virtualization technology and migrating to the cloud.

"VMware's predominance in the field of enterprise virtualization solutions, and the routine targeting of virtualization products by targeted intrusion and eCrime actors tracked by CrowdStrike Intelligence," the blog read.

CrowdStrike isn't the only vendor to observe an increase in malicious activity against VMware ESXi hypervisors.

Last week, Alex Delamotte, senior threat researcher at SentinelOne, wrote a blog post that showed an increase in cybercriminals using Babuk builder to develop ESXi and Linux ransomware. The vendor observed 10 ransomware families have taken advantage of Babuk's leaked source code. Babuk was one of the first ransomware groups to target ESXi, according to the SentinelOne report.

CrowdStrike said VMware virtual infrastructure products such as Horizon and ESXi hypervisors, which allow organizations to host multiple VMs at once, are popular targets because of how crucial such software is to an organization's IT infrastructure virtualization and management system.

To gain VM access, CrowdStrike said credential theft is the most straightforward attack vector against an ESXi hypervisor. If the attacker reaches the SSH console, arbitrary code be executed directly, even on the most recent ESXi versions, the blog post warned. Disabling SSH access was one recommendation made in February when ESXiArgs attacks escalated.

"Furthermore, incidents observed by CrowdStrike Intelligence demonstrate that attackers typically gain access to a target network by other means and then attempt to collect ESXi credentials to achieve the final objective, such as deploying ransomware; in all these cases, the obtained credentials were sufficiently privileged to directly execute arbitrary code," the blog read.

In another attack, CrowdStrike said it has also observed adversaries gaining initial access to the vCenter server management software using either valid accounts or by exploiting remote code execution vulnerabilities such as CVE-2021-21985. While VMware did address the flaws, CrowdStrike said those services should not be exposed to the internet over HTTP or SSH to mitigate risk.

Other recommendations to protect against increasing attacks included avoiding direct access to ESXi hosts and maintaining sufficient backups.

Arielle Waldman is a Boston-based reporter covering enterprise security news.