Ransomware in a virtual environment
#1
Bug 
Quote:
[Image: ransomware-in-virtual-environment-featured.jpg]

Several cybercriminal groups have exploited vulnerabilities in VMware ESXi to infect computers with ransomware.

Although it significantly reduces some cyberthreat risks, virtualization is no more a panacea than any single other practice. A ransomware attack can still hit virtual infrastructure, as ZDNet reported recently, for example through vulnerable versions of VMware ESXi,

Using virtual machines is a strong and safe practice. For example, using a VM can mitigate the harm of an infection if the virtual machine holds no sensitive data. Even if the user accidentally activates a Trojan on a virtual machine, simply mounting a fresh image of the virtual machine reverses any malicious changes.

However, RansomExx ransomware specifically targets vulnerabilities in VMware ESXi to attack virtual hard disks. The Darkside group is reported to use the same method, and the creators of the BabukLocker Trojan hint at being able to encrypt ESXi.

What are the vulnerabilities?

The VMware ESXi hypervisor lets multiple virtual machines store information on a single server through Open SLP (Service Layer Protocol), which can, among other things, detect network devices without preconfiguration. The two vulnerabilities in question are CVE-2019-5544 and CVE-2020-3992, both old-timers and thus not new to cybercriminals. The first is used to carry out heap overflow attacks, and the second is of the type Use-After-Free — that is, related to the incorrect use of dynamic memory during operation.

Both vulnerabilities were closed a while ago (the first in 2019, the second in 2020), but in 2021, criminals are still conducting successful attacks through them.  As usual, that means some organizations haven’t updated their software.

How malefactors exploit ESXi vulnerabilities

Attackers can use the vulnerabilities to generate malicious SLP requests and compromise data storage. To encrypt information they first need, of course, to penetrate the network and gain a foothold there. That’s not a huge problem, especially if the virtual machine isn’t running a security solution.

To get entrenched in the system, RansomExx operators can, for example, use the Zerologon vulnerability (in the Netlogon Remote Protocol). That is, they trick a user into running malicious code on the virtual machine, then seize control of the Active Directory controller, and only then encrypt the storage, leaving behind a ransom note.

Incidentally, Zerologon is not the only option, just one of the most dangerous options because its exploitation is almost impossible to detect without special services.

How to stay protected from attacks on MSXI
  • Update VMware ESXi;
  • Use VMware’s suggested workaround if updating is absolutely impossible (but bear in mind this method will limit some SLP features);
  • Update Microsoft Netlogon to patch that vulnerability as well;
  • Protect all machines on the network, including virtual ones;
  • Use Managed Detection and Response, which detects even complex multistage attacks that are not visible to conventional antivirus solutions.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Kaspersky 21.19.7.527b
Kaspersky 21.19.7....harlan4096 — 09:53
AdGuard Browser Extension 5.0.170 (MV3)
AdGuard Browser Ex...harlan4096 — 09:51
Vivaldi 7.0 Build 3495.18
Vivaldi 7.0 Build ...harlan4096 — 09:50
Brave Search introduces AI follow-up que...
I have used Brave ...harlan4096 — 09:49
Microsoft accused of Malware-like Bing W...
Microsoft released...harlan4096 — 09:48

[-]
Birthdays
Today's Birthdays
avatar (56)Stefanos
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>