Skip to main content
close search
site logo

VMware’s ‘target-rich environment’ is growing more volatile, CrowdStrike warns

Ransomware groups continue to target VMware because they know the virtualization infrastructure is vulnerable and lacks security tools, threat researchers said.

Published May 16, 2023
Matt Kapko's headshot
Senior Reporter
VMware booth at RSA Conference on April 27, 2023 in San Francisco.
VMware booth at RSA Conference on April 27, 2023 in San Francisco. Matt Kapko/Cybersecurity Dive

Organizations using VMware-based virtualization infrastructure, specifically ESXi and associated products, are confronting a deluge of attacks. More threat actors are coalescing their efforts around the widely used products to initiate ransomware attacks, CrowdStrike Intelligence said Monday.

“More and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation of ESXi interfaces, and in the wild vulnerabilities for ESXi create a target-rich environment,” CrowdStrike researchers wrote in the hypervisor jackpotting update.

These factors allow threat actors to “quickly hamper, disrupt and gain leverage to force organizations to consider paying a ransom or extortion demand to get their virtual machines up and running again,” a CrowdStrike spokesperson said via email.

VMware’s hypervisor infrastructure is found throughout enterprise and government. VMware, which is awaiting regulatory approval on Broadcom’s proposed $61 billion acquisition of the company, commands 71% of the global market for virtualization infrastructure software with more than 500,000 customers and $6 billion in revenue in 2022, according to Gartner.

VMware’s virtualization product line is often a crucial component of an organization’s IT infrastructure and management system, CrowdStrike researchers noted in the report.

VMware products such as ESXi, vCenter, ONE Access and Horizon are used by organizations to host hundreds of virtual machines that run critical applications such as Active Directory and business operations systems.

“Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse,” the CrowdStrike spokesperson said.

Hypervisor jackpotting has become a dominant trend, according to CrowdStrike, because virtual infrastructure allows threat actors to multiply the impact of a single compromise and subvert the insufficient detection and prevention mechanisms in these components.

“The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable and without remedy at the moment,” the spokesperson said.

Threat intelligence researchers at CrowdStrike identified a new ransomware as a service platform, dubbed MichaelKors, that provides affiliates with ransomware binaries targeting ESXi servers running on Windows and Linux.

CrowdStrike has also tracked threat actors using ransomware as a service platforms ALPHV — also known as BlackCat — LockBit and Defray to target ESXi.

Threat actors are actively exploiting several known vulnerabilities in ESXi, according to CrowdStrike. Attack vectors include credential theft and virtual machine access.

Unpatched VMware vulnerabilities pose persistent risk

CrowdStrike is one of many threat intelligence firms warning businesses about the risks lurking in unpatched VMware hypervisor infrastructure. Recorded Future in February said it tracked a surge in ransomware attacks targeting VMware ESXi before a ransomware spree dubbed ESXiArgs compromised thousands of virtual machines.

Recorded Future identified only two ransomware attacks against ESXi in 2020, but observed more than 400 ransomware attacks in 2021 and 1,118 attacks in 2022.

The heightened rate of attacks extends to other active exploits that prompted cyber authorities to issue a joint advisory about unpatched Log4Shell in VMware Horizon and Unified Access Gateway servers in June 2022.

“As the CrowdStrike report mentions, ransomware operators gain initial access by exploiting known vulnerabilities in unpatched software and other security hygiene gaps,” a VMware spokesperson said via email. “Customers should understand that endpoint detection and response and antivirus solutions are not a substitution for core security practices such as patching known vulnerabilities.”

VMware referenced previous reports indicating ransomware operators were targeting products with unpatched vulnerabilities that were addressed and disclosed at least two to three years ago in security advisories.

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell