Ransomware operators are exploiting VMware ESXi flaws

The 'Carbon Spider' and 'Sprite Spider' gangs have compromised vCenter credentials to attack enterprise systems

Two ransomware strains have retooled to exploit vulnerabilities in the VMware ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).

The company patched three critical flaws across its virtualisation products last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.

Researchers with CrowdStrike have since learned that two groups, known as 'Carbon Spider' and 'Sprite Spider', have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale ransomware campaigns also known as big game hunting (BGH).

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a “virtual jackpot” for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.

This follows news that cyber criminals last week were actively scanning for vulnerable businesses with unpatched VMware vCenter servers, only days after VMware issued fixes for the three flaws.

“By deploying ransomware on ESXi, Sprite Spider and Carbon Spider likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,” said CrowdStrike researchers Eric Loui and Sergei Frankoff. 

“Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.”

Sprite Spider has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files. 

Carbon Spider, meanwhile, has traditionally targeted companies operating point-of-sale (POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.

Related Resource

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices. 

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host’s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware.

"In line with VMware's commitment to responsible disclosure, we issued a public security advisory with a fix and workaround for a security issue that was privately reported to us in order to help our customers stay safe," a VMware spokesperson told IT Pro

"As a matter of best practice, VMware always encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration."

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

9 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Hackers sell $38 million in gift cards on Russian marketplace
hacking

Hackers sell $38 million in gift cards on Russian marketplace

7 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021