Don’t Get Shamoon’d by VDI Malware – Take These Steps Now

Scott Carlson, Technical Fellow
January 10th, 2017

Don't Get Shamoon'd by VDI Malware

Virtual Desktop Infrastructure (VDI) has regained prevalence in recent years as a cost-effective way to deliver application services to users within a company.  VMWare first coined the term VDI as: the practice of hosting a desktop operating system within a virtual machine (VM) running on a centralized server.

In the past few days, researchers have discovered a new type of malware that is directly targeting the infrastructure underneath virtual desktop solutions. No longer content with just creating destruction within VM’s themselves, this seems like the next attack, and one that will be much harder to recover from if your company experiences an event which results in the full deletion of your entire infrastructure.

What’s the Risk?

If a company has converted fully to a VDI infrastructure, they might have gone so far as to have removed all of the physical desktops from within the user environment. If they had a full VDI outage that took days to recover from, the loss of productivity – and possible revenue – would be extreme.

What can Prevent Malware like Shamoon?

What sorts of actions can you take to prevent malware such as shamoon from impacting your underlying VDI infrastructure? The answer to this question is very similar to things that you would do to protect other types of server infrastructure within your critical data center, namely:

  • Control administrative accounts and change any default passwords
  • Place a multi-factor jump-host in front of any administrative portal that allows access to the foundational infrastructure
  • Protect access to the underlying operating system like it is one of your most critical assets with the highest availability. It should be on its own dedicated network segment with appropriate access controls at both the network, jump-host, and on the physical operating system
  • Remove administrative rights from any user who needs to log into the operating system and only allow those programs specifically from the VDI vendor to operate with privilege
  • Continue to run common antivirus and anti-malware solutions on your VDI infrastructure. Do not worry about performance implications of these programs anymore, but be sure to pay close attention to temporary storage folders

The last thing we want as security professionals is to impact an environment in such a way that it that causes full user outage or financial impact. Take these steps to stop these sorts of attacks.

BeyondTrust is developing a reference architecture for all of our products against Citrix just so that we can help you solve these problems. If you’d like to learn more, contact us today.

Scott Carlson, Technical Fellow

As Technical Fellow, Scott Carlson brings internal technical leadership to BeyondTrust, strategic guidance to our customers, and evangelism to the broader IT security community. He also plays a key role in developing innovative relationships between BeyondTrust and its technical alliance partners. Scott has over 20 years of experience in the banking, education and payment sectors, where his focus areas have included information security, data centers, cloud, virtualization, and systems architecture. He is also a noted thought leader, speaker and contributor to RSA Conference, OpenStack Foundation, Information Week and other industry institutions. Prior to joining BeyondTrust, Scott served as Director of Information Security Strategy & Integration with PayPal, where he created and executed security strategy for infrastructure across all PayPal properties, including worldwide data centers, office networks, and public cloud deployments. He led several cross-departmental teams to deliver information security strategy, technical architecture, and strategic solutions across enterprise IT environments. As a member of the office of the CISO, CTO and CIO, Scott spoke on behalf of the company at global conferences. In addition, he was responsible for infrastructure budget management, vendor management, and product selection, while also serving as the cloud security strategist for private OpenStack cloud and public cloud (AWS, GCP, Azure). Prior to PayPal, Scott held similar roles with Apollo Education Group and Charles Schwab.