The threat of multiplatform ransomware has been growing over the last several years. The attackers’ motivation is pretty simple: they want to cause the most damage in your environment as quickly as possible, forcing you to pay a large ransom. And attacking multiple platforms is one way to do that.
I want to focus on one specific multiplatform ransomware threat, which is the threat to your virtualization environment. Virtualization is a fundamental data center technology which is often taken for granted.
It’s just so easy to request a virtual machine (VM) these days, and they can be deployed within minutes in an automated fashion. Many times application owners don’t think anything of the environment their application is hosted in, unless there’s some sort of problem—then fingers are quick to point at the virtualization layer.
Virtualization Environments are Mission Critical
If we stop to think about the mission-critical applications in our environment, chances are they’re virtualized. From the apps that drive the bottom line of our business, to critical infrastructure services like AD and DNS, almost everything is virtualized these days.
This means our virtualization environment is mission-critical in itself, making it a target for the hackers out there.
Consider the “log4j” vulnerability, for example. It’s a major vulnerability in Apache that made the news. Regular people who weren’t dealing with security or IT stuff knew what it was, and there’s a laundry list of VMware products that were susceptible to it. VMware, of course, is the leading supplier of virtualization products to the IT community, and is largely responsible for the rise of virtualization in the industry.
One of these products is vCenter Server, the central management tool for VMware hosts and clusters. If someone gains access to vCenter, they have the keys to the kingdom, yet for some strange reason people make it accessible to the internet, which means the barrier to getting in is very low, especially if it isn’t patched.
For an application that runs most of your datacenter and applications, that’s a pretty poor security practice. So why does it happen?
One of the biggest problems with virtualization these days is it’s just so easy to work with, and it works so well. Why fix something that isn’t broken? The truth is, the software which runs these environments is just as susceptible as any other software, and exploits and vulnerabilities are the normal cost of doing business.
What’s abnormal is how little people recall this when it comes to security. Virtualized environments need to be patched just like any other—in fact, they should be first on the list after patches are tested.
The Double Risk of Virtualization
We talked about how easy it is to deploy a VM today. You know what else is easy? Forgetting you deployed a VM. Many organizations still haven’t mastered the art of chargeback, often keeping those VMs running long after their purpose has been served.
Virtual sprawl is a real problem, especially when talking about VMs running operating systems that aren’t being patched because someone forgot about them, or that are no longer supported.
If someone does gain access to vCenter, it’s easy to see what’s in the environment, especially when organizations use easy-to-follow naming conventions. It’s also easy to see what operating systems are running on VMs, so that the hackers can then pick their next target for encryption, exfiltration, or both.
Not only do we need to worry about the hypervisor and its management layer, we also need to worry about what’s running inside it. This makes your virtualized environment even more attractive to hackers.
Treat Virtualization as a Mission-Critical Resource
Our virtualization environments are something we often take for granted, since they operate so well and have become so easy to use. Virtualization itself is a mission-critical application, and should be treated as such to protect against hackers.
The question then becomes, how do we get started? The good news is we don’t have to boil the ocean—there are simple ways to begin to change our operational impact to ensure we’re moving in the right direction.
With the rise of zero-day exploits, the first thing we should do is ensure we have a security incident response plan for the virtualization environment. We should work with our IT security teams to make sure we take the right steps when something does go wrong.
The next thing to do is ensure we have Standard Operating Procedures (SOPs) for maintenance in our environment. The big things to tackle first are upgrades and patching, since this is the most common activity we’ll need to do because of a new vulnerability that arises.
These SOPs should include testing, for both our patching and upgrade processes if we don’t have them well defined, as well as testing the patches and upgrades themselves when they become available. Even a simple two-node vSphere cluster can be an excellent testing environment for these activities.
To make sure we’re ready for the threat of ransomware and hackers targeting our virtualized environment, the first thing we need to do is to make sure we’re treating it as mission critical. The hackers know that the “good stuff” is here, and are actively targeting it. It’s important to put good security practices into place now, so we’re ready for an attack tomorrow.