Ransomware in a virtual environment

Several cybercriminal groups have exploited vulnerabilities in VMware ESXi to infect computers with ransomware.

Although it significantly reduces some cyberthreat risks, virtualization is no more a panacea than any single other practice. A ransomware attack can still hit virtual infrastructure, as ZDNet reported recently, for example through vulnerable versions of VMware ESXi,

Using virtual machines is a strong and safe practice. For example, using a VM can mitigate the harm of an infection if the virtual machine holds no sensitive data. Even if the user accidentally activates a Trojan on a virtual machine, simply mounting a fresh image of the virtual machine reverses any malicious changes.

However, RansomExx ransomware specifically targets vulnerabilities in VMware ESXi to attack virtual hard disks. The Darkside group is reported to use the same method, and the creators of the BabukLocker Trojan hint at being able to encrypt ESXi.

What are the vulnerabilities?

The VMware ESXi hypervisor lets multiple virtual machines store information on a single server through Open SLP (Service Layer Protocol), which can, among other things, detect network devices without preconfiguration. The two vulnerabilities in question are CVE-2019-5544 and CVE-2020-3992, both old-timers and thus not new to cybercriminals. The first is used to carry out heap overflow attacks, and the second is of the type Use-After-Free — that is, related to the incorrect use of dynamic memory during operation.

Both vulnerabilities were closed a while ago (the first in 2019, the second in 2020), but in 2021, criminals are still conducting successful attacks through them.  As usual, that means some organizations haven’t updated their software.

How malefactors exploit ESXi vulnerabilities

Attackers can use the vulnerabilities to generate malicious SLP requests and compromise data storage. To encrypt information they first need, of course, to penetrate the network and gain a foothold there. That’s not a huge problem, especially if the virtual machine isn’t running a security solution.

To get entrenched in the system, RansomExx operators can, for example, use the Zerologon vulnerability (in the Netlogon Remote Protocol). That is, they trick a user into running malicious code on the virtual machine, then seize control of the Active Directory controller, and only then encrypt the storage, leaving behind a ransom note.

Incidentally, Zerologon is not the only option, just one of the most dangerous options because its exploitation is almost impossible to detect without special services.

How to stay protected from attacks on MSXI

  • Update VMware ESXi;
  • Use VMware’s suggested workaround if updating is absolutely impossible (but bear in mind this method will limit some SLP features);
  • Update Microsoft Netlogon to patch that vulnerability as well;
  • Protect all machines on the network, including virtual ones;
  • Use Managed Detection and Response, which detects even complex multistage attacks that are not visible to conventional antivirus solutions.