May 23, 2023 By George Platsis 4 min read

With every step towards better cyber defense, malicious attackers counter with new tactics, techniques and procedures. It’s not like the attackers are going to say, “All right, you made it too tough for us this time; we’re checking out.” That is not happening.

Increased use of virtualization comes with both operational efficiencies and abilities to deploy a sound resilience strategy specifically related to recovery. With solid backup and restoration methods and disaster recovery planning, spinning up some images and backups can be relatively easy when needed. Done well, they facilitate quick recovery with minimal impact and disruption.

But when an organization employs virtualization, the underlying infrastructure that powers all of that, such as the hypervisor, also becomes a prime target.

One of the most attractive targets

Knocking out the foundation can create chaos. And malicious actors are taking advantage of emotive responses, particularly during ransomware attacks, to leverage the chaos of having a major component under their control.

The most basic take on why hypervisors are attractive targets can be attributed to poor patching. But patching alone is only part of the picture. Hypervisors are generally complex products requiring management, maintenance and, of course, labor to provide oversight. With a cybersecurity labor shortage still present, malicious actors get to operate in a target-rich environment where people are not present to manage security controls, oversee programs and actually deploy patches.

Furthermore, hypervisor management and especially upgrades are not necessarily cheap or easy to implement. Changing products could be part of a larger uplift or digital transformation project. Product life cycles matter. Many experts, especially in the incident response space, may have nightmares due to out-of-date products.

When foundational products reach end-of-life cycles, support is no longer available. But older products are still in use, meaning that a malicious actor does not necessarily need some zero-day or new vulnerability to get to you. Rather, they will just use the library of old ones.

So, just between talent shortages and capital investments, an organization has two business-related issues which have downstream security implications. All the more reason why information security leaders need a healthy mix of technical experience, business acumen and the ability to be a people manager.

Finally, hypervisors are attractive targets because they offer a gateway into other areas of the IT estate. Get into one hypervisor and, depending on configuration, a malicious actor may find themselves moving laterally across multiple virtual machines with little additional effort. With the correct credentials and privileges, attackers can unleash mass infection in a short time span.

Read the Ransomware Guide  

Focus on basics to defend

Apart from the challenges addressed above, recent attacks demonstrate how quickly attacks can happen. Once an account is broken into, a small script, just kilobytes in length, can take command and control of the virtual machine. Surely, attackers are performing reconnaissance, looking for users with domain access credentials or active shells that can be exploited. Once in, an attacker will take a peek around, see what else they have access to, and be off to encrypting drives and making ransom demands. A hypervisor hosting a multi-tenant environment can make an attacker salivate.

These attacks can be easy when some basics are not followed. For example:

  • Are privileges appropriate to the user? Never forget the competing dynamic between efficiency and security. These concepts are generally in opposition to each other. While it may be more efficient for a user to have additional privileges, risk is taken on fostering insecurity.
  • Is unnecessary functionality still open? This seems simple enough to address, but has somebody actually gone through the process of locking down applications, ports and all that other fun stuff we keep on hearing over and over again? And maybe somebody is trying to do it, but said individual is burning the candle at both ends due to the aforementioned labor issue.
  • Is authentication too easy? Whether it is multi-factor authentication or some other type of authentication control, if it is too easy to authenticate, the attacker has an easier way in.
  • Are audits happening? If there is no regular review of who has escalated privileges into domain controllers, there may be an unwanted guest in the network. An attacker may be sitting quietly, waiting for the right time to pounce.
  • Is there a presence of segmentation? This one is easy: We stated the attacker has a target-rich environment; do not make it easier for them. Segmentation and segregating data and application types, based on criticality and classifications, can limit the blast area.

Many of the issues listed above can be addressed by relatively simple solutions; the difficulty is actually doing them. In addition to the above, most of the solutions come in the form of rules and controls, such as:

  • Restricting remote access on the hypervisor
  • Sealing up open ports
  • Tightening up authentication methods on administrator accounts
  • Limiting root access
  • Establishing and activating lockdown and lockout rules.

It’s not hard, but it’s laborious and requires tough decisions

If you read the above and feel all this seems pretty straightforward, well, it is. It is not about the need, but rather, it is about the need behind the need. It’s not about needing to patch; you know that. It’s needing the resources to stand up and run a patch management program, whether in-house or through a vendor.

Additionally, it’s not about needing to update your end-of-life products. It’s needing leadership buy-in on why the investment to upgrade is necessary.

See the issue?

Since hypervisors are attractive targets, information security leaders should not only prioritize their security but emphasize its importance to others. Outline risks if the appropriate resources are not in place. This is where business acumen and people management skills make magic happen.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today