Today, it hardly matters which operating systems are used on servers; the malware developers working in the background cover all the popular systems. Even specialist operating systems such as the VMware ESXi hypervisor have repeatedly been targeted by criminals. This article sheds light on the damage potential, pointing out ways to mitigate risk and actions to help prepare for an incident.

In many cases, you will hear about the benefits of virtualization, the added security that isolating individual machines can provide, and how easy it is to revert to previous versions at any time with snapshots. Modern ransomware and the behavior of the groups behind it have adapted to this kind of reasoning and the technology behind it. Today, malware is installed well ahead of the attack. The overhead required to analyze attacked infrastructures gives the attackers a clear advantage: They already know all the systems; the deployed software, including the security suites and backup applications; the login data; and areas of responsibility of the employees and their vacation planning.

Attacks on Hypervisors

Attempting to fight this professionalization on the part of the criminals are IT departments in small to large enterprises. Besides handling security, they are primarily responsible for the continuous operation of the infrastructure. In addition to the operating systems of the virtual machines (VMs), the hypervisors on which the VMs run have long been the focus of attackers. Most recently, ransomware named Cheerscrypt [1] grabbed the limelight about the middle of last year. It is based on the Linux variant of the Babuk malware and attacks VMware ESXi servers through known vulnerabilities and successively encrypts the files used by VMware.

In this case, the attack usually occurs by way of the hypervisor guests and a vulnerability in the hypervisor's hardware abstraction or isolation. ESXi also offers some attack vectors itself, though. Although the list of CVEs is not as long as for other software, it also includes vulnerabilities of the highest severity and the ability to execute arbitrary code in the context of the server software as a remote attacker.

Greater Potential for Damage

In contrast to attacking individual VMs, controlling the hypervisor can cause even greater damage immediately. Also, basically no malware protection products are available for ESXi on the hypervisor itself. VMware also does not think that antivirus programs are necessary on the ESXi server [2]. This attitude not only leads to inadequate protection against attacks, but also to failures in detecting successful attacks. It also follows that, from the perspective of ESXi cluster administration teams, security only plays a minor role in day-to-day operations.

Running VMs securely is usually handled by dedicated administrators who are responsible for individually protecting the operating systems used by the VMs. After all, the VMs primarily offer services over the network and are therefore naturally considered vulnerable. Unfortunately, this always leaves you one massive step behind the attackers, and when the active VMs become unreachable, the ESXi administrators need to respond.

If an ESXi hypervisor is directly affected by malware, if even material parts of the active VMs are encrypted, these VMs will usually be inoperable. If you run ESXi as a cluster in your company, the other servers in the cluster and the connected storage are also affected in the event of a successful attack.

Immediate Response to Attacks

When responding to a security incident, the initial focus in administration is on getting services up and running again on the affected VMs. Depending on the dimensions of the cluster, several VMs could fail more or less simultaneously. In the best case, you will have comprehensive and secure backups and be able to have the machines themselves up and running again quickly. Whether checking and backing up the hypervisor is covered in this situation depends on an administrator's response.

To get the system up again and, in case of doubt, to ensure the survival of the enterprise, the people responsible might even consider paying ransom to the criminals. At the end of June, a public letter from IT security experts from academia and industry discussed and criticized the payment of ransom across society [3]. Although many insurance companies will pay the ransom today, some providers have already explicitly ruled out payment.

Of course, criminals are also responding to these developments and to better backup strategies in the enterprise, sometimes demanding double ransom payments: Before the data is encrypted, it is copied in plain text to the attacker's servers. Companies are then asked to pay once to be able to decrypt the encrypted data – if the criminals actually planned to do this – and again to prevent sensitive company data being published.