Recent reporting by CrowdStrike indicates that two productive cybercrime threat groups, Carbon Spider (CS) and Sprite Spider (SS) are spreading hate and discontent against VMware’s ESXi.
ESXi is a Type-1 hypervisor (also known as a “bare-metal” hypervisor) developed by VMware. A hypervisor is software that runs and manages virtual machines (VMs). In contrast to Type-2 hypervisors that run on a conventional host operating system, a Type-1 hypervisor runs directly on a dedicated host’s hardware. ESXi systems are commonly managed by vCenter, a centralized server administration tool that can control multiple ESXi devices. While ESXi is not a Linux operating system, it is possible to run some Linux-compiled ELF binaries within the ESXi command shell. VMware holds an overwhelming majority of the worldwide virtual machine market share, well ahead of its nearest competitor. This means that threat actors seeking to encrypt virtual infrastructure may prioritize developing malware that can affect the entire VMware environment.
CS traditionally targets companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. Yet during 2020 CS was observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CS gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside ransomware.
SS uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SS enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777 (also titled: Defray, Defray 2018, Target777, RansomX, RansomEXX), SS’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs.
The entire CrowdStrike report: https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
Anomali’s forecast: Both Carbon Spider and Sprite Spider likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, researchers expect more threat actors to imitate these activities. Red Sky Alliance agrees and urges companies shore up their network and use proactive underground cyber collection and analysis (intelligence) to better protect those network defenses.
MITRE ATT&CK (associated information on this subject):
- Data Encrypted for Impact - T1486
- Hidden Files and Directories - T1158
- Process Discovery - T1057
- File Deletion - T1107
- Remote Services - T1021
- Scheduled Transfer - T1029
- Virtualization/Sandbox Evasion - T1497
- Command-Line Interface - T1059
- Remote Desktop Protocol - T1076
- Valid Accounts - T1078
- Masquerading - T1036
- Service Stop - T1489
- System Information Discovery - T1082
- Data Encrypted - T1022
- Credentials from Web Browsers - T1503
- Credential Dumping - T1003
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/3702558539639477516
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments