Don’t Get Shamoon’d by VDI Malware – Take These Steps Now

Scott Carlson, January 10th, 2017

Don't Get Shamoon'd by VDI Malware

Virtual Desktop Infrastructure (VDI) has regained prevalence in recent years as a cost-effective way to deliver application services to users within a company.  VMWare first coined the term VDI as: the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server.

In the past few days, researchers have discovered a new type of malware that is directly targeting the infrastructure underneath virtual desktop solutions. No longer content with just creating destruction within VM’s themselves, this seems like the next attack, and one that will be much harder to recover from if your company experiences an event which results in the full deletion of your entire infrastructure.

What’s the Risk?

If a company has converted fully to a VDI infrastructure, they might have gone so far as to have removed all of the physical desktops from within the user environment. If they had a full VDI outage that took days to recover from, the loss of productivity – and possible revenue – would be extreme.

What can Prevent Malware like Shamoon?

What sorts of actions can you take to prevent malware such as shamoon from impacting your underlying VDI infrastructure? The answer to this question is very similar to things that you would do to protect other types of server infrastructure within your critical data center, namely:

  • Control administrative accounts and change any default passwords
  • Place a multi-factor jump-host in front of any administrative portal that allows access to the foundational infrastructure
  • Protect access to the underlying operating system like it is one of your most critical assets with the highest availability. It should be on its own dedicated network segment with appropriate access controls at both the network, jump-host, and on the physical operating system
  • Remove administrative rights from any user who needs to log into the operating system and only allow those programs specifically from the VDI vendor to operate with privilege
  • Continue to run common antivirus and anti-malware solutions on your VDI infrastructure. Do not worry about performance implications of these programs anymore, but be sure to pay close attention to temporary storage folders

The last thing we want as security professionals is to impact an environment in such a way that it that causes full user outage or financial impact. Take these steps to stop these sorts of attacks.

BeyondTrust is developing a reference architecture for all of our products against Citrix just so that we can help you solve these problems. If you’d like to learn more, contact us today.