Virtualization can provide a host of benefits for organizations including reduced hardware costs, centralized management, scalability, etc. However, securing your virtualized infrastructure is just as important as securing your physical devices, and the threats made against your virtual machines can be just as dangerous as those made against your physical ones. As virtualization becomes more commonplace so do the attacks associated with it, and the recent attacks made against VMware's ESXi hypervisor must be addressed.
ESXiArgs Ransomware - Incident Summary
From 2021 to 2022 attacks made against the ESXi hypervisor increased several fold. The vulnerabilities found in the software were exploited by multiple big name ransomware groups including Lockbit and AlphaV. On February 6, 2023 VMware published a statement regarding the recent reports of ransomware attacks made against the virtualization tool. The point of their statement was to ensure clients that the exploits used to conduct these attacks was not due to a zero day vulnerability, but rather out-of-date products being targeted with "known vulnerabilities" previously addressed by the company.
"VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)."
VMware advises customers to upgrade to the latest versions of their products including the latest vSphere components to ensure they are secured against vulnerabilities found in previous versions.
CorpInfoTech works with clients using the ESXi hypervisor in their virtual infrastructure, thus it was important we respond to the recent reports of vulnerabilities found in the software. Within 24 hours of the VMware Security Response Center announcing the occurrence of attacks made against the ESXi hypervisor, CorpInfoTech evaluated the security posture of all our managed services clients to find any unpatched or vulnerable systems within their IT infrastructure.
CorpInfoTech, as a routine course of action, maintains the security posture and applies security patches to all of our managed services clients. However, due to the severity of this disruption CorpInfoTech made it a point to perform a server by server validation of our clients in relation to the ESXiArgs ransomware threat. Because this ransomware strain posed a threat to all virtual machines in a given environment, it was important to check each machine for signs of vulnerability. Where previous patching of software was not possible due to hardware or operational limitations, CorpInfoTech took the steps to apply mitigating controls against the attack vector and initial compromise used by EXSiArgs ransomware.
On February 13th, 2023, a second strain was discovered. Despite the attack vector of the new strain being largely similar to that of the original strain, CorpInfoTech committed to scanning and validating each host within our managed clients to ensure they were not vulnerable to attack.
CorpInfoTech's managed service offering provides full support and patches of all of your organizations virtual and physical infrastructure. We ensure that wherever your data is located, it is secure. If your organization needs help responding to the recent ESXiArgs ransomware events, contact CorpInfoTech today!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.