Videos

CyberCube's Event Briefing: ESXi Args attack on VMWare

Written by The CyberCube Team | May 14, 2023 11:00:00 PM
Video transcript

CyberCube has recently published a new report looking at the VMware ransomware trends that are affecting companies across the globe. I'm Yvette Essen, Head of Content, Communications, and Creative for CyberCube, and I'm joined today in the studio by William Altman. William is the author of the report; he is Cyber Threat Intelligence Principal at CyberCube and heads up Concierge, our cyber threat intelligence service.

Yvette Essen:
"William, thank you for joining me."

William Altman:
"Thank you so much for having me today, Yvette. I'm really excited to talk about this topic. It’s an ongoing event, as you mentioned, so we're not only trying to show people what has happened but also actively warning our clients to take proactive actions using our technology and data to help prepare for this event. We can talk more about that, but it’s worth noting that this is an ongoing situation. Across the entire cyber insurance landscape—from brokers to underwriters to reinsurers—there are actions to take and lessons to be learned."

Yvette Essen:
"William, I'm certainly looking forward to hearing the advice you have for insurers and the brokers' community. But perhaps you could start by setting the scene. When did this all begin, and what exactly do we know to date?"

William Altman:
"Yes, Yvette, it all really started around February 3rd and has evolved over the course of two weeks. We saw an initial response from the French and Italian Computer Emergency Response Teams, warning the world that an active ransomware campaign was targeting VMware ESXi hypervisor technologies that are outdated and vulnerable across the globe.

So, what does this mean? We have a group of threat actors using a two-year-old known vulnerability in widely used software to automate the delivery of ransomware onto vulnerable servers worldwide. These servers are critical cloud infrastructure, and when they are encrypted, it’s not just the server that’s affected. Because of what these servers do, they can encrypt up to 120 different virtual machines, greatly impacting the number of entities affected.

To date, we’ve seen just over 2,000 servers encrypted globally, each with up to 120 different machines. So, we’re looking at a lot of victims. Thousands of devices have been encrypted worldwide, and the threat actors are continuing to innovate and improve their code to bypass defenses that have emerged in response to this attack. As I mentioned, it’s still ongoing. Overall, we could see up to 70,000 vulnerable VMware hypervisors. The threat actors may only hit a fraction of that, but it demonstrates the increasing innovation and capabilities of threat actors that we’re now facing as an insurance community and as part of the cybersecurity and defense ecosystem.

We’re now able to say that threat actors have the capability to target critical cloud resources, encrypt data on cloud servers, and actually receive ransoms from this activity. This represents a seismic shift in threat actor capability and intent behind these ransomware attacks."

Yvette Essen:
"When did we last see something on this scale, or are there previous events that give us an indication of how this might unfold?"

William Altman:
"The most readily available comparison would be the Kaseya VSA attacks. In that incident, threat actors broke into a managed service provider and were able to drop ransomware onto the networks of that MSP's clients. We saw somewhere between 1,000 and 1,500 different companies impacted. Already, we know that the VMware ESXi ransomware campaign will surpass that in terms of the total volume of entities and devices affected or encrypted.

However, whether the threat actors can monetize this type of activity is a whole other element of this attack. In the Kaseya incident, the threat actors were unable to monetize the attack at scale. They’re doing better this time around in the ESXi attack, but they still haven’t fully managed to provision decryption keys and receive ransoms at scale. So, while this attack is devastating for many victims, it’s not as bad as it could be. We expect to see more of this type of activity in the future as threat actors learn how to better monetize these kinds of attacks.

It also points to the increasing focus on the 'one-to-many' attack strategy, where threat actors target one entity that provides access to many downstream targets. That’s what we’re seeing in this event as well."

Yvette Essen:
"With all this activity taking place, we've published a report and a press release discussing the kinds of companies that could be impacted and the sectors at risk. Could you elaborate on that? How do we construct such a target list?"

William Altman:
"Absolutely. This really ties into the actions that CyberCube clients can take based on our data, analytics, and services in light of this event. First and foremost, how do you know if companies in your portfolio are vulnerable to this attack? For companies to be vulnerable, they must either have an internet-facing ESXi hypervisor with the specific software that has the known vulnerabilities for this attack, or they must rely on a cloud services provider that uses this technology to provision services to their customers.

Both types of entities are impacted in this attack. So, you need to understand which companies in your portfolio are potentially using outdated ESXi hypervisors and which ones rely on the cloud providers most affected by the attack. Today, CyberCube’s Single Point of Failure Intelligence tool allows you to do both. We can look across a portfolio of companies to see which ones are using vulnerable technologies, and we can also identify which ones are using the impacted cloud providers. For example, the major French cloud provider OVH has been primarily impacted in this attack, along with their downstream customers.

We can do more triangulation around specific technologies in use to really drill down on which companies might be vulnerable in this attack. That’s primarily how we’re helping our clients today. They’re either conducting proactive outreach to warn these entities or preparing for the potential losses from this attack.

One more interesting point to note: CyberCube is using our industry exposure databases and economic exposure databases to identify vulnerable companies throughout the U.S. that are known to have cyber insurance. If you're interested in that kind of analysis and want to look at the whole market and how it could be impacted, CyberCube can also help there."

Yvette Essen:
"William, can you tell us which companies are likely to be impacted? Are there particular sectors or a certain size of companies at risk?"

William Altman:
"Great question, Yvette. This is what everyone wants to know: Who is impacted? From our analysis, we can tell you that industries like banking, agriculture, education, and aviation—businesses that tend to manage their own infrastructure—are at higher risk. These are large organizations with separate security and cloud computing needs that warrant virtualization infrastructure, making them more likely to use ESXi hypervisors. These companies could be more vulnerable to compromise in this attack.

We also see that large billion-dollar-plus revenue businesses are most impacted because they are large enough to require virtualization services for large-scale cloud computing deployment. So, we’re talking about big businesses across sectors like banking, education, aviation, agriculture, and some manufacturing."

Yvette Essen:
"Thank you for explaining all of that, William. More information about the VMware ransomware attacks can be found on our website, www.cybcube.com. You can find our press release, our new report, and also follow up on our Concierge service offering."

For CyberCube, I'm Yvette Essen.