With every step towards better cyber defense, malicious attackers counter with new tactics, techniques and procedures. It’s not like the attackers are going to say, “All right, you made it too tough for us this time; we’re checking out.” That is not happening.

Increased use of virtualization comes with both operational efficiencies and abilities to deploy a sound resilience strategy specifically related to recovery. With solid backup and restoration methods and disaster recovery planning, spinning up some images and backups can be relatively easy when needed. Done well, they facilitate quick recovery with minimal impact and disruption.

But when an organization employs virtualization, the underlying infrastructure that powers all of that, such as the hypervisor, also becomes a prime target.

One of the Most Attractive Targets

Knocking out the foundation can create chaos. And malicious actors are taking advantage of emotive responses, particularly during ransomware attacks, to leverage the chaos of having a major component under their control.

The most basic take on why hypervisors are attractive targets can be attributed to poor patching. But patching alone is only part of the picture. Hypervisors are generally complex products requiring management, maintenance and, of course, labor to provide oversight. With a cybersecurity labor shortage still present, malicious actors get to operate in a target-rich environment where people are not present to manage security controls, oversee programs and actually deploy patches.

Furthermore, hypervisor management and especially upgrades are not necessarily cheap or easy to implement. Changing products could be part of a larger uplift or digital transformation project. Product life cycles matter. Many experts, especially in the incident response space, may have nightmares due to out-of-date products.

When foundational products reach end-of-life cycles, support is no longer available. But older products are still in use, meaning that a malicious actor does not necessarily need some zero-day or new vulnerability to get to you. Rather, they will just use the library of old ones.

So, just between talent shortages and capital investments, an organization has two business-related issues which have downstream security implications. All the more reason why information security leaders need a healthy mix of technical experience, business acumen and the ability to be a people manager.

Finally, hypervisors are attractive targets because they offer a gateway into other areas of the IT estate. Get into one hypervisor and, depending on configuration, a malicious actor may find themselves moving laterally across multiple virtual machines with little additional effort. With the correct credentials and privileges, attackers can unleash mass infection in a short time span.

Read the Ransomware Guide  

Focus on Basics to Defend

Apart from the challenges addressed above, recent attacks demonstrate how quickly attacks can happen. Once an account is broken into, a small script, just kilobytes in length, can take command and control of the virtual machine. Surely, attackers are performing reconnaissance, looking for users with domain access credentials or active shells that can be exploited. Once in, an attacker will take a peek around, see what else they have access to, and be off to encrypting drives and making ransom demands. A hypervisor hosting a multi-tenant environment can make an attacker salivate.

These attacks can be easy when some basics are not followed. For example:

  • Are privileges appropriate to the user? Never forget the competing dynamic between efficiency and security. These concepts are generally in opposition to each other. While it may be more efficient for a user to have additional privileges, risk is taken on fostering insecurity.
  • Is unnecessary functionality still open? This seems simple enough to address, but has somebody actually gone through the process of locking down applications, ports and all that other fun stuff we keep on hearing over and over again? And maybe somebody is trying to do it, but said individual is burning the candle at both ends due to the aforementioned labor issue.
  • Is authentication too easy? Whether it is multi-factor authentication or some other type of authentication control, if it is too easy to authenticate, the attacker has an easier way in.
  • Are audits happening? If there is no regular review of who has escalated privileges into domain controllers, there may be an unwanted guest in the network. An attacker may be sitting quietly, waiting for the right time to pounce.
  • Is there a presence of segmentation? This one is easy: We stated the attacker has a target-rich environment; do not make it easier for them. Segmentation and segregating data and application types, based on criticality and classifications, can limit the blast area.

Many of the issues listed above can be addressed by relatively simple solutions; the difficulty is actually doing them. In addition to the above, most of the solutions come in the form of rules and controls, such as:

  • Restricting remote access on the hypervisor
  • Sealing up open ports
  • Tightening up authentication methods on administrator accounts
  • Limiting root access
  • Establishing and activating lockdown and lockout rules.

It’s Not Hard, but it’s Laborious and Requires Tough Decisions

If you read the above and feel all this seems pretty straightforward, well, it is. It is not about the need, but rather, it is about the need behind the need. It’s not about needing to patch; you know that. It’s needing the resources to stand up and run a patch management program, whether in-house or through a vendor.

Additionally, it’s not about needing to update your end-of-life products. It’s needing leadership buy-in on why the investment to upgrade is necessary.

See the issue?

Since hypervisors are attractive targets, information security leaders should not only prioritize their security but emphasize its importance to others. Outline risks if the appropriate resources are not in place. This is where business acumen and people management skills make magic happen.

More from Risk Management

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and…

4 min read