Hypervisors and Ransomware: Defending Attractive Targets


With every step towards better cyber defense, malicious attackers counter with new tactics, techniques and procedures. It’s not like the attackers are going to say, “All right, you made it too tough for us this time; we’re checking out.” That is not happening.

Increased use of virtualization comes with both operational efficiencies and abilities to deploy a sound resilience strategy specifically related to recovery. With solid backup and restoration methods and disaster recovery planning, spinning up some images and backups can be relatively easy when needed. Done well, they facilitate quick recovery with minimal impact and disruption.

But when an organization employs virtualization, the underlying infrastructure that powers all of that, such as the hypervisor, also becomes a prime target.

One of the Most Attractive Targets

Knocking out the foundation can create chaos. And malicious actors are taking advantage of emotive responses, particularly during ransomware attacks, to leverage the chaos of having a major component under their control.

The most basic take on why hypervisors are attractive targets can be attributed to poor patching. But patching alone is only part of the picture. Hypervisors are generally complex products requiring management, maintenance and, of course, labor to provide oversight. With a cybersecurity labor shortage still present, malicious actors get to operate in a target-rich environment where people are not present to manage security controls, oversee programs and actually deploy patches.

Furthermore, hypervisor management and especially upgrades are not necessarily cheap or easy to implement. Changing products could be part of a larger uplift or digital transformation project. Product life cycles matter. Many experts, especially in the incident response space, may have nightmares due to out-of-date products.

When foundational products reach end-of-life cycles, support is no longer available. But older products are still in use, meaning that a malicious actor does not necessarily need some zero-day or new vulnerability to get to you. Rather, they will just use the library of old ones.

So, just between talent shortages and capital investments, an organization has two business-related issues which have downstream security implications. All the more reason why information security leaders need a healthy mix of technical experience, business acumen and the ability to be a people manager.

Finally, hypervisors are attractive targets because they offer a gateway into other areas of the IT estate. Get into one hypervisor and, depending on configuration, a malicious actor may find themselves moving laterally across multiple virtual machines with little additional effort. With the correct credentials and privileges, attackers can unleash mass infection in a short time span.

Read the Ransomware Guide  

Focus on Basics to Defend

Apart from the challenges addressed above, recent attacks demonstrate how quickly attacks can happen. Once an account is broken into, a small script, just kilobytes in length, can take command and control of the virtual machine. Surely, attackers are performing reconnaissance, looking for users with domain access credentials or active shells that can be exploited. Once in, an attacker will take a peek around, see what else they have access to, and be off to encrypting drives and making ransom demands. A hypervisor hosting a multi-tenant environment can make an attacker salivate.

These attacks can be easy when some basics are not followed. For example:

  • Are privileges appropriate to the user? Never forget the competing dynamic between efficiency and security. These concepts are generally in opposition to each other. While it may be more efficient for a user to have additional privileges, risk is taken on fostering insecurity.
  • Is unnecessary functionality still open? This seems simple enough to address, but has somebody actually gone through the process of locking down applications, ports and all that other fun stuff we keep on hearing over and over again? And maybe somebody is trying to do it, but said individual is burning the candle at both ends due to the aforementioned labor issue.
  • Is authentication too easy? Whether it is multi-factor authentication or some other type of authentication control, if it is too easy to authenticate, the attacker has an easier way in.
  • Are audits happening? If there is no regular review of who has escalated privileges into domain controllers, there may be an unwanted guest in the network. An attacker may be sitting quietly, waiting for the right time to pounce.
  • Is there a presence of segmentation? This one is easy: We stated the attacker has a target-rich environment; do not make it easier for them. Segmentation and segregating data and application types, based on criticality and classifications, can limit the blast area.

Many of the issues listed above can be addressed by relatively simple solutions; the difficulty is actually doing them. In addition to the above, most of the solutions come in the form of rules and controls, such as:

  • Restricting remote access on the hypervisor
  • Sealing up open ports
  • Tightening up authentication methods on administrator accounts
  • Limiting root access
  • Establishing and activating lockdown and lockout rules.

It’s Not Hard, but it’s Laborious and Requires Tough Decisions

If you read the above and feel all this seems pretty straightforward, well, it is. It is not about the need, but rather, it is about the need behind the need. It’s not about needing to patch; you know that. It’s needing the resources to stand up and run a patch management program, whether in-house or through a vendor.

Additionally, it’s not about needing to update your end-of-life products. It’s needing leadership buy-in on why the investment to upgrade is necessary.

See the issue?

Since hypervisors are attractive targets, information security leaders should not only prioritize their security but emphasize its importance to others. Outline risks if the appropriate resources are not in place. This is where business acumen and people management skills make magic happen.

The post Hypervisors and Ransomware: Defending Attractive Targets appeared first on Security Intelligence.