New MichaelKors Ransomware Takes Aim at Linux and VMware ESXi

by | May 16, 2023 | News

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

MichaelKors Ransomware Targets VMware ESXi Hypervisors

A recently discovered ransomware-as-a-service (RaaS) operation named MichaelKors has emerged as the latest file-encrypting malware targeting Linux and VMware ESXi systems since April 2023, according to a report by cybersecurity firm CrowdStrike.

This development signifies a growing trend of cybercriminal actors shifting their focus to ESXi, a widely used virtualization and management system. Notably, VMware ESXi does not natively support third-party agents or antivirus software, making it an appealing target for modern adversaries.

The tactic employed to deploy ransomware on VMware ESXi hypervisors, known as hypervisor jackpotting, has been employed by various ransomware groups, including Royal. Furthermore, recent analysis from SentinelOne revealed that ten different ransomware families, such as Conti and REvil, have leveraged leaked Babuk source code to develop lockers specifically designed for VMware ESXi hypervisors.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

VMware ESXi Hypervisors Draw Attackers with Unrestricted Access and Rich Target Potential

The attractiveness of targeting VMware ESXi hypervisors stems from the fact that the software runs directly on physical servers, providing potential attackers with the ability to execute malicious ELF binaries and gain unrestricted access to the underlying resources of the machine.

To breach ESXi hypervisors, attackers typically employ compromised credentials to gain elevated privileges, allowing them to traverse the network laterally or exploit known vulnerabilities to break free from the confines of the environment.

CrowdStrike highlights that the absence of security tools, insufficient network segmentation, and the existence of in-the-wild vulnerabilities create a target-rich environment for threat actors. This growing concern is further exacerbated as organizations increasingly migrate workloads and infrastructure to cloud environments through VMWare Hypervisor environments.

In response to hypervisor jackpotting, organizations are advised to mitigate the impact by avoiding direct access to ESXi hosts, enabling two-factor authentication, regularly backing up ESXi datastore volumes, applying security updates, and conducting comprehensive security posture reviews.

In a recent update shared on May 15, 2023, VMware acknowledged that the knowledge base article referenced earlier is outdated and should be considered deprecated. The company intends to provide current information in a future update.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This