A new ransomware-as-a-service (RaaS) operation called MichaelKors has emerged, targeting Linux and VMware ESXi systems as of April 2023.
Cybersecurity firm CrowdStrike reported on this trend, highlighting the increasing interest of cybercriminals in ESXi, despite its lack of support for third-party agents or antivirus software. The popularity of ESXi as a virtualization and management system makes it an attractive target for adversaries, leading to a technique known as hypervisor jackpotting.
Several ransomware groups, including Royal, have employed this approach, and leaked Babuk source code has been used by 10 different ransomware families to develop lockers for VMware ESXi hypervisors.
VMware ESXi hypervisors are appealing targets because they run directly on physical servers, allowing attackers to execute malicious ELF binaries and gain full access to underlying resources.
Compromised credentials and elevated privileges are common tactics used to breach ESXi hypervisors, enabling lateral movement or exploiting known vulnerabilities to fulfill their objectives.
VMware’s stance on antivirus software not being required with the vSphere Hypervisor further adds to the attractiveness of targeting ESXi. In addition to ransomware actors, a Chinese nation-state group using backdoors named VIRTUALPITA and VIRTUALPIE has also targeted VMware ESXi servers.
To mitigate the risk of hypervisor jackpotting, organizations are advised to avoid direct access to ESXi hosts, enable two-factor authentication, regularly back up ESXi datastore volumes, apply security updates, and conduct security posture reviews.
As more organizations transition their workloads and infrastructure to cloud environments based on VMWare Hypervisor, the targeting of VMware-based virtualization infrastructure by adversaries poses a significant concern.
CrowdStrike emphasized the need for organizations to remain vigilant and adopt robust security measures to protect their virtualized environments.
