💰💣

VMware Security Incident

2021 1725 days ago Resolved

Incident Overview

Situation Description

A ransomware attack targeted a VMware ESXi infrastructure, exploiting an inadequately secured TeamViewer remote access with domain administrator credentials and an active shell on the ESXi server.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Technology

Geographic Scope

nan

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

Operational / System Data

Primary Impacts

Operational Disruption Financial Loss

Key Decisions Made

The attackers made an economically sensible decision to focus on the ESXi server rather than lingering in the network.; The organization failed to disable the ESXi server's active shell after using it, creating a vulnerability.; Adoption of ESXi security best practices, such as network segmentation and restricting administrative access, would have reduced the impact of the attack.

Technical Analysis

Attack Method

Misconfiguration

Vulnerability / Tool

TeamViewer Active Shell

Additional Information

19 October 2021 Lisa Vaass report about a ransomware attack on a VMware ESXi infrastructure is worth a detailed analysis because it reveals some interesting details on the attackers intentions. The attack happened very fast and targeted. Vaas cites the Sophos press release: This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform.( Vaas 2021 ; Sophos Ltd. 2021 ) How got the attacker initial access to the network? The attackers used an inadequately secured TeamViewer remote access to break into the company. The hijacked account had domain administrator access credentials.(Sophos Ltd. 2021) The ransomware operator was not interested in the Active Directory It is very remarkable that the attackers then focused on the ESXi server. If an attacker is able to hijack an account that is member of the domain administrators group, he has got the keys to the kingdom. An APT would then act very carefully to stay as long as possible undetected. But the ransomware operator made the right decision. To stay undetected in a network for weeks or months requires technical skills that ransomware operators just lack. This was an economically sensible decision. The course of events shows some shortcomings in security best practice Working with TeamViewer in unattended mode without a second factor is bad enough in itself, but, connecting to an account with domain admin privileges under this terms, violates any best practice. User account control is available since Windows Vista, so there is no need to work with permanent administrative privileges. Moreover, Microsoft makes clear that There should be no day-to-day user accounts in the DA group with the exception of the local Administrator account for the domain.( Microsoft 2021 ) ESXi servers were transparently accessible in the network, with active shell enabled The investigators believe the ESXi Server on the network was vulnerable because it had an active Shell,...

... (truncated for display)

Quick Facts

Company:: VMware
Date:: 2021
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 19/10/2021

Source Information

Original Query

Colonial Pipeline CEO Joseph Blount congressional testimony transcript analysis

View Original Source

Timeline

Information Published

19/10/2021

Incident Occurred

2021 (1725 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats