back to article Two ransomware strains target VMware’s ESXI hypervisor through stolen vCenter creds

Two strains of ransomware have recently been updated to target VMware’s ESXi hypervisor and encrypt virtual machine files, says security vendor CrowdStrike. Neither attack has found a way into ESXi itself, which is welcome news as a successful attack on the type-one hypervisor would mean hosts could be compromised. Instead, …

  1. Anonymous South African Coward Silver badge

    Who allow their bare-metal hypervisor to connect directly to the internet without a firewall in between?

    Also - who portforwards port 22 (or any VCenter port) directly to the Internet?

    Mind boggles.

    Put a firewall and VPN in between!

    1. FlamingDeath Silver badge

      I take it you’ve never hacked before?

      There is a distinction between security and functionality

      You can make things so secure they are no longer functional, vice versa is true also, its so functional and convenient its a security risk.

      Which do you think most companies will pick?

      Convenience, or security?

      The web browser is one of the most at risk targets that lusers use daily, who probably wouldn't know what javascript was even if you explained it to them

      Some people cant go a week without destroying their mobile phone like the clumsy and inattentive cunts they are, so explaining the risks to them that opening random junk mail items without understanding why its in the spam folder to begin with is a wasted effort

      Meanwhile, the CEO is having their 7th holiday this year

    2. storner

      Hopefully nobody has vCenter directly on the Internet.

      But most compromises these days happen when people read mail and click "Open" when they should have clicked "Delete" instead. And then the attack comes from your internal network.

    3. big_D Silver badge

      It gets the credentials from the client attaching to vSphere for a start. They are often Internet connected or have an email client set-up on it, so a phishing email would be a good vector...

      1. Anonymous Coward
        Anonymous Coward

        This is why best practice is to use an admin VM/device to do your admin stuff, not your "normal" daily driver device.

        2nd, you don't have an email account configured on the admin device and your admin user doesn't have an email license attached to it either.

        Its *REALLY* not that hard to do this, day in, day out, yet I'm sure someone will be along shortly to bemoan the "hassle" or needing to sign into another session to "do admin" to something.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022