VMware’s ESXi platform has been a cornerstone of many organizations’ virtualization strategy for years and is relied on for reliably hosting business critical services. The combination of widespread adoption and business criticality has caused cyber criminals and ransomware operators looking to impose maximum impact on victims to target ESXi environments.
This trend is supported by evidence which shows an almost 3x increase from 2021 to 2022 in ransomware attacks targeting ESXi. It is highly likely we will see similarly significant statistics for 2023 with VMware environments being targeted in large high-profile attacks such as the MGM and Johnson Controls incidents.
Despite the criticality of these systems and increasing focus from adversaries, ensuring they are fully protected remains a challenge for many organizations for several reasons.
Hardening
Virtualization is a useful technology for administrators who want to focus on end-user functionality. Given the traditional focus on protecting guest VM operating systems, it is not uncommon for less attention to be paid to the underlying hypervisor. In more recent updates and versions VMware has begun to mitigate this issue, making ESXi “semi-hardened” by default by doing things like leaving SSH and ESXi Shell disabled by default. It is still important for ESXi admins to harden their own environment against attack, however even in the best-case scenario where there is a need for admin access, there is a pathway to attack and hardening can only get you so far.
Logging
ESXi does not provide much visibility with default logging functionality. At installation it uses “vmsyslogd” to keep basic system logs or forward to a collector. These logs provide limited transparency into system security. If enabled, other utilities such as SSH might provide remote user access logs. Rudimentary logging of this kind also provides minimal insight into any actions taken by administrators and falls well short of the type of robust telemetry incident responders are used to having when running a proper EDR agent. The lack of more robust logging on ESXi makes detection and incident handling a challenge.
Network Traffic
In many modern attacks, substantial amounts of data are exfiltrated from victim machines. Defenders have often found the spike in network traffic to be an important indicator of compromise. ESXi is typically used to serve access to guest VM’s to end-users over a network connection, and high network traffic to and from ESXi hosts is normal. This can mean that data exfiltration is more difficult to track and detect in ESXi heavy environments.
Security Software
One of the most significant challenges in securing ESXi is the lack of platform specific security solutions. Even the most knowledgeable system administrators and security teams benefit from good security software. Most operating systems have robust and well-proven security solutions ranging the full gamut of capabilities in detection, prevention and remediation. Despite its popularity and the rising threat of attacks against ESXi, no ESXi specific solution exists at the time of this writing. This represents a gap in the security industry that must be filled to prevent attacks from increasing in number and severity.
ESXi is a powerful and necessary tool but presents a host of potential security headaches, especially in the face of increasing adversary sophistication. Since ESXi is not going anywhere, we need to recognize and address these issues. System administrators and security teams need to pay close attention to recent attacks and current ESXi hardening techniques. The threat actor world is not ignoring ESXi. We as security professionals cannot afford to either.
2 VMware vCenter Server Vulnerability Exploited in Wild – SecurityWeek
3 MGM casino’s ESXi servers allegedly encrypted in ransomware attack (bleepingcomputer.com)
4 Building automation giant Johnson Controls hit by ransomware attack (bleepingcomputer.com)