The Week in Ransomware - February 3rd 2023 - Ending with a mess
While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers. [...]
VMware provides virtualization and cloud infrastructure software; flaws or misconfigurations can expose hosts, workloads, credentials, and management systems.
Search across headline titles and summaries.
Background for this topic.
VMware is a virtualization platform that runs multiple virtual machines on shared physical servers. Its ESXi hypervisor provides the underlying isolation, while vCenter Server centrally manages hosts, virtual machines, networks, and storage. Because these components operate beneath or across many workloads, compromise of a host or management account can expose multiple systems; virtual-machine isolation reduces risk but is not an absolute security boundary.
Security teams should treat ESXi hosts and management services as privileged infrastructure: restrict management interfaces, separate administrative networks, enforce strong authentication and role-based access, monitor administrative actions, and promptly assess security advisories and patches. Vulnerabilities in the hypervisor, management plane, or virtual networking and storage layers can enable unauthorized access, guest-to-host escape, or service disruption, depending on the flaw and configuration. Incident investigations should also account for host and vCenter logs, snapshots, templates, and backups, which can contain sensitive data or retained credentials.
While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers. [...]
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware. [...]
A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems. [...]
Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. [...]