A string of attacks on VMware ESXi servers were launched by the Play ransomware group, best known for its double-extortion tactics.
In a July 19 blog post, Trend Micro researchers said most of the attacks have been concentrated in the United States. The researchers explained that the ransomware will first verify if it’s running on an ESXi environment before executing and has successfully evaded security measures, such as those indicated by Virus Total.
It was the second time in as many weeks that security teams were dealing with VMware ESXi issues. It was reported last week that numerous organizations had their VMware ESXi servers persistently targeted by the SEXi ransomware operation for at least the past month under the APT INC banner.
It was also reported in April that SEXi ransomware attacks targeted ESXi servers in the infamous attack on MGM Resorts last fall, which was also noted by Tom Siu, chief information security officer at Inversion6.
"This particular [case] describes an attack pathway that relies on the initial access using stolen or compromised credentials, but could also exploit a remote vulnerability should one be discovered in the VMWare services," explained Siu.
Attackers targeting VMware ESXi environments pose a critical threat to enterprise infrastructure because of the hypervisor's central role in managing virtualized resources, added Jason Soroko, senior vice president of product at Sectigo. Soroko said compromising an ESXi server can lead to widespread disruption, as a single attack can incapacitate multiple virtual machines simultaneously, affecting core business operations and services.
“Play's double extortion tactics, which involve encrypting and exfiltrating data, increase pressure on victims to pay ransoms,” said Soroko. “The inclusion of commonly used tools for lateral movement and persistence highlights the threat's potency.“
Saumitra Das, vice president of engineering at Qualys, said that the growth in the public and virtualized cloud and its associated misconfigurations have also coincided with the growth in Linux malware. In fact, Das said malware authors are increasingly moving to platform-independent frameworks, such as using GoLang to make their malware work on different operating systems, as well as reuse the other command-and-control infrastructure around the malware.
“Linux malware is not as well studied as the Windows counterparts due their prevalence, but organizations need to pay much more attention to them as these systems become increasingly targeted by attackers,” said Das.
Patrick Tiquet, vice president, security and architecture at Keeper Security, added that the increasing popularity of cloud computing has led to a corresponding surge in VM usage, consolidating multiple applications onto a single physical server. This consolidation not only enhances operational efficiency, but also presents attackers with the opportunity to compromise a variety of services through a single breach, said Tiquet.
“As VM deployment continues to expand within cloud environments, they become even more appealing targets due to their shared resources and complex configurations,” said Tiquet. “VMWare instances, prevalent in enterprise infrastructure, are particularly attractive to attackers because of their critical role and widespread adoption. Successful breaches not only disrupt services and dole out financial losses, but can also lead to the exposure of sensitive data and violations of regulatory requirements, severely damaging an organization’s reputation.”
Tiquet added that effective protection strategies for virtualized and cloud environments extend beyond patching vulnerabilities.
Organizations must enforce rigorous network segmentation to limit lateral movement, implement strong access controls and regularly audit for vulnerabilities, he continued. Security hardening practices, such as disabling unnecessary services and employing encryption, alongside robust incident response plans and comprehensive backup strategies, are crucial defenses.
“Administrators should always ensure they’re using a secure vault and secrets management solution, and they must apply necessary patches and updates as soon as possible,” said Tiquet. “They should also check their cloud console’s security controls to ensure they’re following the latest recommendations.”
