Trust No One: Protect Your Business with Zero-Trust Security

Why Businesses Must Implement Zero-Trust Security in Light of Recent ESXi Server Exploits

Recent cyberattacks exploiting VMware ESXi vulnerabilities underscore the urgent need for businesses to adopt a zero-trust security model. This approach is crucial as reliance on traditional cybersecurity measures proves insufficient.? I examined the processes used by bad actors in a previous article.

The Exploit

Hackers leveraged a vulnerability (CVE-2024-37085) in VMware ESXi hypervisors, gaining administrative control by creating a group called "ESX Admins." This group automatically received admin rights, allowing attackers to take over the hypervisor and its virtual machines. Multiple ransomware groups, including Black Basta and Akira, exploited this flaw to deploy ransomware, leading to extensive data encryption and operational disruptions.

Microsoft's Role and Responsibility

Discovery and Reporting:

Microsoft researchers discovered this vulnerability during their investigations and reported it to VMware. Despite their crucial role in identifying the flaw, Microsoft did not reference it as a zero-day attack.

Compromise of Microsoft Products:

The attackers initially gained access through Qakbot, a malware spread via phishing emails.

They then exploited a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges, which is a direct compromise of Microsoft's code.

Additionally, the attackers tampered with Microsoft Defender Antivirus to avoid detection, highlighting a significant security lapse within Microsoft's product.

VMware's Role and Responsibility

Vulnerability in VMware ESXi: The primary vulnerability (CVE-2024-37085) existed in VMware ESXi hypervisors. This flaw allowed attackers to gain full administrative control by creating a domain group named "ESX Admins."

Timely Response: VMware (owned by Broadcom) was responsible for providing timely patches and updates to mitigate such vulnerabilities. They released a patch for this flaw with ESXi 8.0 U3 on June 25, 2024.

The Broader Issue of Trust

This incident highlights systemic failures across organizations to provide foolproof security. Whether it is Microsoft delaying patches or VMware (Broadcom) having vulnerabilities in their products, businesses cannot afford to solely rely on these vendors for security. The evidence is clear: all organizations are susceptible to errors that can risk your business.

Amit Yoran, CEO of Tenable, has heavily criticized Microsoft's security practices. He stated:

"Microsoft’s lack of transparency applies to breaches, irresponsible security practices, and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about".

This critique points to a broader issue of delayed responses and insufficient transparency, which are not isolated incidents but part of a recurring pattern.

US Senator Ron Wyden has also called Microsoft "negligent" in its response to security breaches, urging the Justice Department to investigate the company's practices. This sentiment underscores the broader concern regarding Microsoft's approach to cybersecurity and the perceived negligence in their practices.

The Case for Zero-Trust Security

Considering these challenges, the implementation of a zero-trust security model is imperative. Zero-trust means not inherently trusting any entity—internal or external. This model ensures that every access attempt is verified, significantly reducing the risk of unauthorized access, and mitigating the impact of hidden vulnerabilities in trusted software. Next-generation cybersecurity software solutions enable enterprises and governments to adopt this model easily and affordably.

One example is Abatis, a kernel-level filter that complements all antivirus and EDR/XDR solutions. Abatis is entirely vendor-agnostic, seamlessly integrating with existing cybersecurity products without causing complications or adding latency.

Cybersecurity Zero-Trust Model as a Soccer Strategy

In soccer, a well-coordinated defense doesn't rely on any single player to prevent the opposing team from scoring. Instead, every player, regardless of their position, continuously verifies and challenges any opponent who tries to advance towards the goal. Defenders act as firewalls and gateways, scrutinizing and intercepting incoming threats. Midfielders play a versatile role, akin to access control systems and continuous monitoring, ensuring that even if an attacker bypasses the initial defences, their movements are constantly scrutinized and restricted. The goalkeeper represents critical security systems, providing a final layer of protection against breaches.

Abatis, in this analogy, functions as the sweeper (libero). Positioned behind the main defensive line but ahead of the goalkeeper, the sweeper is responsible for "sweeping" up any threats that penetrate the initial defences. Abatis ensures that no unauthorized changes occur on endpoints, effectively intercepting and neutralizing threats before they reach critical systems. This specialized role underscores the importance of comprehensive coverage and stringent control in maintaining robust cybersecurity, reflecting the core principles of a zero-trust security model.

Ownership of Risk

Ultimately, businesses must acknowledge that they own their risk. Relying on vendors, no matter how reputable, exposes them to potential failures that can have devastating consequences. Suing the vendor after a breach, as seen in cases involving companies like CrowdStrike, provides little solace if your business is destroyed, and your reputation is in tatters. Implementing zero-trust security is a proactive step to protect your business, ensuring that no single point of failure can jeopardize your operations.

By enforcing zero-trust security, businesses can better safeguard their operations and avoid becoming the next victim of cyber exploits. The time to act is now, before another vulnerability leads to widespread disruption and financial loss.

Impact on Businesses

The repercussions of these vulnerabilities are vast. In the last year alone, Microsoft's security failures have led to significant breaches affecting thousands of businesses globally. Notable incidents include:?

Exchange Server Vulnerability (March 2021): A series of zero-day vulnerabilities in Microsoft Exchange Server, collectively known as ProxyLogon, were exploited by cybercriminals. This led to over 60,000 organizations worldwide being compromised, allowing attackers to access emails, deploy malware, and maintain long-term access to affected networks.

SolarWinds Hack (December 2020): Microsoft was one of the many victims of the SolarWinds supply chain attack. Hackers exploited vulnerabilities in SolarWinds’ Orion software, gaining access to Microsoft’s internal systems and potentially compromising numerous customers by moving laterally through Microsoft’s network.

Microsoft Customer Support Database Leak (January 2020): Over 250 million customer records were exposed due to a misconfigured internal customer support database. The database, which was not password-protected, included personally identifiable information and support case details, posing a significant risk to affected customers.

Outlook Web Access Incident (April 2019): Hackers gained access to a Microsoft customer support agent’s credentials, allowing them to access webmail accounts for three months. The breach exposed email addresses, subject lines, and folder names, affecting numerous users of Outlook.com, MSN, and Hotmail..

And most recently the Azure Data Breach (June 2024) where hundreds of executive accounts were compromised, leading to a major user data leak.

Additional Incidents further illustrate these systemic issues:

Microsoft Crash (July 18, 2024): A significant outage affected Microsoft's cloud computing services, including Azure servers, leading to disruptions in various sectors such as commercial flights and cellular networks.

CrowdStrike Update Issue (July 19, 2024): A faulty CrowdStrike update caused widespread Blue Screen of Death (BSOD) errors, affecting numerous Windows devices and disrupting services globally. This incident, although separate from the Microsoft crash, compounded the overall impact on Microsoft's infrastructure.

Numerous Past Breaches: Microsoft’s poor security practices have previously been blamed for breaches by Russian and Chinese hackers, who accessed sensitive emails from US government officials.

These failures highlight the importance of implementing a zero-trust security model, where no changes on endpoints are permitted without strict verification. This approach can prevent unauthorized access and mitigate the risks associated with hidden vulnerabilities in trusted software.

The Path Forward: Zero-Trust Security

Considering these challenges, businesses must adopt a proactive cybersecurity strategy. A zero-trust model, like the one advocated by Abatis, ensures that every attempt to access resources is thoroughly verified, significantly reducing the risk of breaches. This model is essential for protecting critical infrastructure and sensitive data in an increasingly hostile cyber environment.

By implementing zero-trust security, businesses can better safeguard their operations and avoid becoming the next victim of cyber exploits. The time to act is now, before another vulnerability leads to widespread disruption and financial loss.

?