We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


Mandiant has observed a “significant increase” in the number of incidents involving a ransomware attack targeted against virtualization infrastructure, an expert at the cybersecurity firm told VentureBeat.

The increase has come over the past six to 12 months, and represents an adjustment of threat actor tactics —enabling them to “more rapidly and efficiently encrypt a large number of hosts,” said Greg Blaum, a principal consultant at Mandiant.

On Tuesday, Mandiant released M-Trends 2022, the firm’s 13th annual threat report. Among the major findings is that Mandiant has observed ransomware-focused threat actors “increasingly targeting virtualization infrastructure,” the firm disclosed in the M-Trends 2022 report.

While a traditional ransomware attack requires deploying the malicious payload across multiple hosts in a victim’s environment, an attack on virtualization infrastructure can potentially infect hundreds of virtual machines at once. With this variety of attack, “hitting one machine is much more effective,” Blaum said.

Event

Transform 2022

Join us at the leading event on applied AI for enterprise business and technology decision makers in-person July 19 and virtually from July 20-28.

Register Here

Mandiant reports that it observed a number of ransomware groups targeting VMware vSphere and ESXi platforms during 2021. The attackers included threat actors that’ve been associated with Conti, Hive, DarkSide and Blackcat, according to the firm.

In this type of attack, the threat actors have utilized compromised credentials to access VMware’s vCenter Server management software, Mandiant says. The attackers then use vCenter to discover all ESXi hosts that are being used in the victim’s environment, according to Mandiant.

While traditionally an on-premise virtualization platform, a number of cloud providers will also host this type of virtualization infrastructure for clients.

Mitigations

In terms of mitigations for this type of attack, the most effective is network segmentation, Blaum said. This entails placing the management software used with the virtualization infrastructure on an isolated network, or VLAN.

“If there are no network routes to get to the management infrastructure, it’s going to be really difficult for an attacker to exploit it,” Blaum said.

The use of a privileged access management (PAM) solution would also be helpful in blocking this type of attack, he said.

Ultimately, ransomware attacks against virtualization infrastructure are expected to remain an issue, Blaum said.

“Because the use of the virtualization infrastructure is so pervasive, and the fact that attackers can quickly and easily encrypt large numbers of hosts, we see this trend continuing the future,” he said.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Author
Topics