Operate without opening the chest: identifying VMware vulnerabilities
When critical software vulnerabilities appear in core IT systems, as is the case with VMware ESXi servers, companies often struggle to keep up with closing the gaps, which then leaves them vulnerable to targeted exploitation by hackers. But there are clever ways to find the gaps quickly and close them without tinkering with the critical production systems themselves.
Both the CERT-FR team from France and Italy's cyber security agency ACN warned at the beginning of the week that a global ransomware attack was targeting thousands of these servers in Europe and North America. More than 3,200 VMware servers have already been compromised, according to Censys Search, with France the hardest-hit country ahead of the US, Germany, Canada and the UK. Also, the encryption mechanism seems to have changed to prevent a recovery.
According to VMware, the campaign exploits a weakness for which a patch has existed for two years – since February 23, 2021. IT managers should immediately check whether they have already installed this critical patch and do so as soon as possible.
Typical proof of the core problem
The fact that such an old software vulnerability, for which a patch has long existed, still allows attacks reveals a major problem. When unpatched, the software weakness of VMware ESXi servers is leaving a gap at the heart of many companies - their virtual critical infrastructure on which many of their most essential applications run. Updating this infrastructure takes a lot of time, energy and money.
At the same time, IT managers are confronted with a countless stream of patches every year to close the tens of thousands of software vulnerabilities found. Absolute Software stated that exactly 20,265 new software vulnerabilities were identified and reported in 2022 alone - in 2019, there were 18,325.
The amount of patches is increasing, as is the complexity of the patching process. IT managers and their teams test the patches intensively before rolling them out. Open heart surgeries – on the most critical services and applications – are among the most delicate in IT. You absolutely must not go wrong and corrupt a system due to compatibility issues with the patch. Even with critical patches, there is almost always a gap between the patch being available and the patch actually being rolled out.
Help through modern data management concepts
Modern data management concepts are a clever way to massively accelerate the process of patch analysis without even touching the production systems themselves. They create snapshots of all important data and applications in the company at regular intervals, as this is one of their main tasks.
These snapshots - identical to the production systems down to the last bit - can be exported to any location at any time and restored to the production system within minutes. You can also clone multiple copies of the production system.
Identical snapshots and their uses
This cloning approach has several advantages. By default, IT teams and security specialists can scan these files for new vulnerabilities. In this way, they always know exactly which gaps exist on which systems and can weigh them according to their severity.
You can also cleanly test patches with the current version of the production system and detect possible conflicts. This current version represents the real status quo and not an isolated laboratory version of the application stack. If the patch corrupts the production clone, it can simply be deleted and a new clone set up for a new test.
In addition, multiple employees and teams can work on the snapshot and the system, regardless of location, without being physically close to the system and having to wait for a free slot. This is also crucial to be able to react to successful attacks. In this crisis situation, several forensic experts can examine the snapshot of a hacked machine for signs of a break-in. And as they are not actively working on the potentially breached production system, they do not give hackers any indications of an ongoing investigation.
It is important that the data management system itself automatically encrypts the data on the way and as it is stored. Ideally, this platform should follow the principles of a Zero Trust architecture, where access is strictly regulated via multi-factor authentication. Also, privileged accounts and tasks should be additionally secured via quorum queries.
In this way, modern data management can enable operations at the heart of the infrastructure without those responsible actually having to operate open-heartedly - with all the risks for the operation. This will enable both IT security and Infrastructure teams to quickly react to attacks and roll out patches in a confident way.