Ransomware operators are exploiting VMware ESXi flaws

The 'Carbon Spider' and 'Sprite Spider' gangs have compromised vCenter credentials to attack enterprise systems

Two ransomware strains have retooled to exploit vulnerabilities in the VMware ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).

The company patched three critical flaws across its virtualisation products last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.

Researchers with CrowdStrike have since learned that two groups, known as 'Carbon Spider' and 'Sprite Spider', have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale ransomware campaigns also known as big game hunting (BGH).

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a “virtual jackpot” for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.

This follows news that cyber criminals last week were actively scanning for vulnerable businesses with unpatched VMware vCenter servers, only days after VMware issued fixes for the three flaws.

“By deploying ransomware on ESXi, Sprite Spider and Carbon Spider likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,” said CrowdStrike researchers Eric Loui and Sergei Frankoff. 

“Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.”

Sprite Spider has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files. 

Carbon Spider, meanwhile, has traditionally targeted companies operating point-of-sale (POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.

Related Resource

How to improve cyber security for remote working

13 recommendations for security from any location

How to improve cyber security for remote working - whitepaper from MimecastDownload now

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices. 

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host’s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware.

"In line with VMware's commitment to responsible disclosure, we issued a public security advisory with a fix and workaround for a security issue that was privately reported to us in order to help our customers stay safe," a VMware spokesperson told IT Pro

"As a matter of best practice, VMware always encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration."

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
One-in-seven Nasdaq-100 companies ranked as highly susceptible to a ransomware attack
cyber crime

One-in-seven Nasdaq-100 companies ranked as highly susceptible to a ransomware attack

16 Sep 2021
Large US businesses are hackers' ideal ransomware targets
ransomware

Large US businesses are hackers' ideal ransomware targets

7 Sep 2021
Criminals caught trying to recruit insiders to plant ransomware
ransomware

Criminals caught trying to recruit insiders to plant ransomware

20 Aug 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021