Last year, Citrix XenServer and Bitdefender Hypervisor Introspection prevented WannaCry by blocking EternalBlue, and we’ve done it again with the recent zero-day Flash vulnerability.
Adobe recently published an advisory outlining a Flash vulnerability found in the wild. The hackers used a malicious Flash object embedded in a Microsoft Excel document, which the hackers distributed via email. Once the curious victims opened the Excel file, the exploit was executed to download a payload that gave the hackers remote access to their systems. Ouch! The Flash Player vulnerability was used to infiltrate organizations in South Korea, Japan, the Middle East, and other parts of Asia.
How did we help? Citrix and Bitdefender realized the hypervisor offered untapped security potential; we partnered to develop Hypervisor Introspection (HVI), released just over a year ago. HVI works by watching the memory of running VMs to detect and block exploits in real-time. Antivirus (AV) solutions attempt to detect the hundreds of millions of malware variants, which is why AVs need constant, even hourly updating, whereas HVI detects the handful of attack techniques — buffer overflows, API hooking, code injections, heap sprays, etc. — that hackers use to remotely gain a foothold of your systems. HVI is the only agentless solution on the market to take this approach effectively and in real time.
Why is this important? Hackers often figure out your systems’ vulnerabilities before software vendors. The term “zero-day” refers to the day a vulnerability or exploit is discovered. The reality is, the vulnerability existed in the wild, long before the security industry or your software vendor realized it.
Conceptually, there are four stages of a vulnerability: the vulnerability exists, the vulnerability is discovered, the vendor releases a patch, and the customer applies the patch. Hypervisor Introspection provides protection at all four stages. Interestingly, the previous WannaCry infection was not even a zero-day exploit. EternalBlue was a zero-day vulnerability, but at the time WannaCry hit, the EternalBlue patch had been out for a few months. WannaCry spread to 185,000 systems in more than 100 countries in just 24 hours by infecting unpatched systems.
Wouldn’t you want a security layer that could safeguard not only against zero-day attacks, but also against unknown threats — even while your systems are unpatched?
That’s exactly what HVI provides. Watch this video to see how we proved once again that Hypervisor Introspection is able to safeguard against unknown threats, as HVI was able to detect and block the recent Flash zero-day exploit, without any updates.
Additionally, many companies continue to run Windows Server 2003, which is now End of Life (EoL). As Microsoft is no longer releasing patches for Server 2003 — including the EternalBlue patch — using Hypervisor Introspection is a great way to add an additional layer of security to your unpatched Server 2003 workloads.
Another important thing to note — HVI is truly agentless. Hypervisor Introspection operates at the hypervisor level with absolutely zero footprint inside of the virtual machines. HVI’s outside-in-approach not only gives it full visibility of what is going on inside the VM, but also eliminates the potential for HVI to be compromised by advanced malware.
Check out this customer story from Kansas Development Financial Authority about how they use Citrix XenServer and Bitdefender Hypervisor Introspection to protect not only their XenApp and XenDesktop deployment, but also, their entire virtual infrastructure.
Citrix has really taken on the initiative of providing the most secure virtual computing platform on the market. — Jeff Kater, Director of IT at Kansas Development Finance Authority
You can also find more details in the blog from Bitdefender on how Hypervisor Introspection prevented this most recent zero-day exploit.
Attending RSA next week? Stop by Citrix booth #1515 South Expo.