Acting quickly and causing as much damage as possible in a matter of hours is the method of a series of new digital hijacking attacks, which target virtual machines using the VMware ESXi system. Unlike traditional scams, in which attackers can spend days or even months analyzing networks and collecting files before they spread a plague, these happen quickly from the initial compromise, taking advantage, mainly, of errors in server configuration.

Developed in Python, the pests are able to quickly crash virtual disks and take control of data — in one of the analyzed cases, it took just three hours between the entry of the bandits on the network and the display of the message demanding ransom for data hijacking. To make matters worse, the vectors that led to this attack were discovered in just 10 minutes after an unprotected TeamViewer remote access system account running on a machine with administration privileges, was used to give access to the network. Using an IP scanner, the criminals located the misconfigured ESXi server, with SSH services enabled by default, which was used to spread a ransomware attack. Sophos experts, responsible for the alert, indicate this as one of the fastest digital hijacking attacks they have ever analyzed and also point out that the Python language is not usually used in this type of scam, which makes monitoring and mitigation more difficult . Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News. Every day a summary of the main news in the tech world for you!

On the other hand, the analysis of security researchers points to common methods of cybercriminals. While the speed drew attention, the intrusion occurred during the night, a period of lesser activity by the employees of the affected company, while the exploitation takes place from common vectors, as is the case with server management systems that are usually enabled and disabled as needed — in this case, a configuration error caused the port to remain open.

The agility of the attack also appears in the size of the script used, with just 6 kb. The action was intended to be stealthy, as the criminals tried to delete the file after the attack detonated, with the Python sample being obtained after forensic analysis. The study showed it to be a highly customizable pest that can be configured with multiple encryption keys, as well as targeting specific files or data for locking, using open source encryption tools. It also called attention to the generation of unique unlock codes for each attack, so that a possible “master key” would not be used to release all victims.

Despite a blow this type being a novelty, Sophos alerts to the fact that ESXi servers are very targeted, especially when outdated or with standardized security settings. Criminal groups such as REvil and Darkside have already made targets from infrastructures of this type, with the recommendation to administrators being the compliance with best security practices indicated by VMware itself, as well as the application of correction patches and other routines that protect the platforms.

The company affected by the analyzed attack, however, was not revealed, as well as the possible authors of the intrusion. Other details of the case, such as ransom charged and eventual payments, were also not mentioned.

