May 23, 2023 By George Platsis 4 min read

With every step towards better cyber defense, malicious attackers counter with new tactics, techniques and procedures. It’s not like the attackers are going to say, “All right, you made it too tough for us this time; we’re checking out.” That is not happening.

Increased use of virtualization comes with both operational efficiencies and abilities to deploy a sound resilience strategy specifically related to recovery. With solid backup and restoration methods and disaster recovery planning, spinning up some images and backups can be relatively easy when needed. Done well, they facilitate quick recovery with minimal impact and disruption.

But when an organization employs virtualization, the underlying infrastructure that powers all of that, such as the hypervisor, also becomes a prime target.

One of the most attractive targets

Knocking out the foundation can create chaos. And malicious actors are taking advantage of emotive responses, particularly during ransomware attacks, to leverage the chaos of having a major component under their control.

The most basic take on why hypervisors are attractive targets can be attributed to poor patching. But patching alone is only part of the picture. Hypervisors are generally complex products requiring management, maintenance and, of course, labor to provide oversight. With a cybersecurity labor shortage still present, malicious actors get to operate in a target-rich environment where people are not present to manage security controls, oversee programs and actually deploy patches.

Furthermore, hypervisor management and especially upgrades are not necessarily cheap or easy to implement. Changing products could be part of a larger uplift or digital transformation project. Product life cycles matter. Many experts, especially in the incident response space, may have nightmares due to out-of-date products.

When foundational products reach end-of-life cycles, support is no longer available. But older products are still in use, meaning that a malicious actor does not necessarily need some zero-day or new vulnerability to get to you. Rather, they will just use the library of old ones.

So, just between talent shortages and capital investments, an organization has two business-related issues which have downstream security implications. All the more reason why information security leaders need a healthy mix of technical experience, business acumen and the ability to be a people manager.

Finally, hypervisors are attractive targets because they offer a gateway into other areas of the IT estate. Get into one hypervisor and, depending on configuration, a malicious actor may find themselves moving laterally across multiple virtual machines with little additional effort. With the correct credentials and privileges, attackers can unleash mass infection in a short time span.

Read the Ransomware Guide  

Focus on basics to defend

Apart from the challenges addressed above, recent attacks demonstrate how quickly attacks can happen. Once an account is broken into, a small script, just kilobytes in length, can take command and control of the virtual machine. Surely, attackers are performing reconnaissance, looking for users with domain access credentials or active shells that can be exploited. Once in, an attacker will take a peek around, see what else they have access to, and be off to encrypting drives and making ransom demands. A hypervisor hosting a multi-tenant environment can make an attacker salivate.

These attacks can be easy when some basics are not followed. For example:

  • Are privileges appropriate to the user? Never forget the competing dynamic between efficiency and security. These concepts are generally in opposition to each other. While it may be more efficient for a user to have additional privileges, risk is taken on fostering insecurity.
  • Is unnecessary functionality still open? This seems simple enough to address, but has somebody actually gone through the process of locking down applications, ports and all that other fun stuff we keep on hearing over and over again? And maybe somebody is trying to do it, but said individual is burning the candle at both ends due to the aforementioned labor issue.
  • Is authentication too easy? Whether it is multi-factor authentication or some other type of authentication control, if it is too easy to authenticate, the attacker has an easier way in.
  • Are audits happening? If there is no regular review of who has escalated privileges into domain controllers, there may be an unwanted guest in the network. An attacker may be sitting quietly, waiting for the right time to pounce.
  • Is there a presence of segmentation? This one is easy: We stated the attacker has a target-rich environment; do not make it easier for them. Segmentation and segregating data and application types, based on criticality and classifications, can limit the blast area.

Many of the issues listed above can be addressed by relatively simple solutions; the difficulty is actually doing them. In addition to the above, most of the solutions come in the form of rules and controls, such as:

  • Restricting remote access on the hypervisor
  • Sealing up open ports
  • Tightening up authentication methods on administrator accounts
  • Limiting root access
  • Establishing and activating lockdown and lockout rules.

It’s not hard, but it’s laborious and requires tough decisions

If you read the above and feel all this seems pretty straightforward, well, it is. It is not about the need, but rather, it is about the need behind the need. It’s not about needing to patch; you know that. It’s needing the resources to stand up and run a patch management program, whether in-house or through a vendor.

Additionally, it’s not about needing to update your end-of-life products. It’s needing leadership buy-in on why the investment to upgrade is necessary.

See the issue?

Since hypervisors are attractive targets, information security leaders should not only prioritize their security but emphasize its importance to others. Outline risks if the appropriate resources are not in place. This is where business acumen and people management skills make magic happen.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today