May 23, 2023 By George Platsis 4 min read

With every step towards better cyber defense, malicious attackers counter with new tactics, techniques and procedures. It’s not like the attackers are going to say, “All right, you made it too tough for us this time; we’re checking out.” That is not happening.

Increased use of virtualization comes with both operational efficiencies and abilities to deploy a sound resilience strategy specifically related to recovery. With solid backup and restoration methods and disaster recovery planning, spinning up some images and backups can be relatively easy when needed. Done well, they facilitate quick recovery with minimal impact and disruption.

But when an organization employs virtualization, the underlying infrastructure that powers all of that, such as the hypervisor, also becomes a prime target.

One of the most attractive targets

Knocking out the foundation can create chaos. And malicious actors are taking advantage of emotive responses, particularly during ransomware attacks, to leverage the chaos of having a major component under their control.

The most basic take on why hypervisors are attractive targets can be attributed to poor patching. But patching alone is only part of the picture. Hypervisors are generally complex products requiring management, maintenance and, of course, labor to provide oversight. With a cybersecurity labor shortage still present, malicious actors get to operate in a target-rich environment where people are not present to manage security controls, oversee programs and actually deploy patches.

Furthermore, hypervisor management and especially upgrades are not necessarily cheap or easy to implement. Changing products could be part of a larger uplift or digital transformation project. Product life cycles matter. Many experts, especially in the incident response space, may have nightmares due to out-of-date products.

When foundational products reach end-of-life cycles, support is no longer available. But older products are still in use, meaning that a malicious actor does not necessarily need some zero-day or new vulnerability to get to you. Rather, they will just use the library of old ones.

So, just between talent shortages and capital investments, an organization has two business-related issues which have downstream security implications. All the more reason why information security leaders need a healthy mix of technical experience, business acumen and the ability to be a people manager.

Finally, hypervisors are attractive targets because they offer a gateway into other areas of the IT estate. Get into one hypervisor and, depending on configuration, a malicious actor may find themselves moving laterally across multiple virtual machines with little additional effort. With the correct credentials and privileges, attackers can unleash mass infection in a short time span.

Read the Ransomware Guide  

Focus on basics to defend

Apart from the challenges addressed above, recent attacks demonstrate how quickly attacks can happen. Once an account is broken into, a small script, just kilobytes in length, can take command and control of the virtual machine. Surely, attackers are performing reconnaissance, looking for users with domain access credentials or active shells that can be exploited. Once in, an attacker will take a peek around, see what else they have access to, and be off to encrypting drives and making ransom demands. A hypervisor hosting a multi-tenant environment can make an attacker salivate.

These attacks can be easy when some basics are not followed. For example:

  • Are privileges appropriate to the user? Never forget the competing dynamic between efficiency and security. These concepts are generally in opposition to each other. While it may be more efficient for a user to have additional privileges, risk is taken on fostering insecurity.
  • Is unnecessary functionality still open? This seems simple enough to address, but has somebody actually gone through the process of locking down applications, ports and all that other fun stuff we keep on hearing over and over again? And maybe somebody is trying to do it, but said individual is burning the candle at both ends due to the aforementioned labor issue.
  • Is authentication too easy? Whether it is multi-factor authentication or some other type of authentication control, if it is too easy to authenticate, the attacker has an easier way in.
  • Are audits happening? If there is no regular review of who has escalated privileges into domain controllers, there may be an unwanted guest in the network. An attacker may be sitting quietly, waiting for the right time to pounce.
  • Is there a presence of segmentation? This one is easy: We stated the attacker has a target-rich environment; do not make it easier for them. Segmentation and segregating data and application types, based on criticality and classifications, can limit the blast area.

Many of the issues listed above can be addressed by relatively simple solutions; the difficulty is actually doing them. In addition to the above, most of the solutions come in the form of rules and controls, such as:

  • Restricting remote access on the hypervisor
  • Sealing up open ports
  • Tightening up authentication methods on administrator accounts
  • Limiting root access
  • Establishing and activating lockdown and lockout rules.

It’s not hard, but it’s laborious and requires tough decisions

If you read the above and feel all this seems pretty straightforward, well, it is. It is not about the need, but rather, it is about the need behind the need. It’s not about needing to patch; you know that. It’s needing the resources to stand up and run a patch management program, whether in-house or through a vendor.

Additionally, it’s not about needing to update your end-of-life products. It’s needing leadership buy-in on why the investment to upgrade is necessary.

See the issue?

Since hypervisors are attractive targets, information security leaders should not only prioritize their security but emphasize its importance to others. Outline risks if the appropriate resources are not in place. This is where business acumen and people management skills make magic happen.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today