New MichaelKors Ransomware Takes Aim at Linux and VMware ESXi
MichaelKors Ransomware Targets VMware ESXi Hypervisors
A recently discovered ransomware-as-a-service (RaaS) operation named MichaelKors has emerged as the latest file-encrypting malware targeting Linux and VMware ESXi systems since April 2023, according to a report by cybersecurity firm CrowdStrike.
This development signifies a growing trend of cybercriminal actors shifting their focus to ESXi, a widely used virtualization and management system. Notably, VMware ESXi does not natively support third-party agents or antivirus software, making it an appealing target for modern adversaries.
The tactic employed to deploy ransomware on VMware ESXi hypervisors, known as hypervisor jackpotting, has been employed by various ransomware groups, including Royal. Furthermore, recent analysis from SentinelOne revealed that ten different ransomware families, such as Conti and REvil, have leveraged leaked Babuk source code to develop lockers specifically designed for VMware ESXi hypervisors.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
VMware ESXi Hypervisors Draw Attackers with Unrestricted Access and Rich Target Potential
The attractiveness of targeting VMware ESXi hypervisors stems from the fact that the software runs directly on physical servers, providing potential attackers with the ability to execute malicious ELF binaries and gain unrestricted access to the underlying resources of the machine.
To breach ESXi hypervisors, attackers typically employ compromised credentials to gain elevated privileges, allowing them to traverse the network laterally or exploit known vulnerabilities to break free from the confines of the environment.
CrowdStrike highlights that the absence of security tools, insufficient network segmentation, and the existence of in-the-wild vulnerabilities create a target-rich environment for threat actors. This growing concern is further exacerbated as organizations increasingly migrate workloads and infrastructure to cloud environments through VMWare Hypervisor environments.
Trending: OSINT Tool: GooFuzz
In response to hypervisor jackpotting, organizations are advised to mitigate the impact by avoiding direct access to ESXi hosts, enabling two-factor authentication, regularly backing up ESXi datastore volumes, applying security updates, and conducting comprehensive security posture reviews.
In a recent update shared on May 15, 2023, VMware acknowledged that the knowledge base article referenced earlier is outdated and should be considered deprecated. The company intends to provide current information in a future update.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com