Go back

How Hackers Compromise Virtual Desktop Infrastructure

Brad LaPorte
Brad LaPorte
03 Dec 2024
5 min read
Advanced Threat Defense
How Hackers Expose VDI Systems

How do you steal something that doesn’t exist? That’s the thinking behind the widespread fallacy that virtual desktop infrastructure (VDI) is more secure than physical desktops.

People assume that when a desktop session runs in a virtual environment, it’s somehow untouchable. Even if hackers wanted to launch a virtual desktop attack, the thinking goes, it would have no place to originate or propagate. Therefore, hackers wouldn’t even bother targeting virtual machines.

It’s a comforting notion. Unfortunately, it’s entirely incorrect.

The Hard Truth About VDI Security

Partly due to misleading marketing messages and partly due to wishful thinking, many users believe VDI offers much stronger security than it actually does. Common misconceptions include that hackers can’t launch an attack into a virtual session since there isn’t local storage, and that ending a session (in a non-persistent VDI) sanitizes any threats present in that session. There’s a kernel of truth in both those assumptions, but that’s all.

Virtual sessions may not have local storage, but they still have abundant entry points. Should a hacker gain access to a virtual session, it’s a short jump to servers full of critical data and apps. The virtual desktop infrastructure has little value as an endpoint but tremendous value as a starting point for lateral movement.

Ending a session won’t help, either. Hackers have learned how to establish persistence in a virtual network so their attacks get resurrected into each new session. In recent years companies have increasingly deployed VDI, however, many deployments have security holes that make it even easier to establish persistency and exploit data at will.

Making matters worse, unrealistic expectations about VDI security mean most companies rely exclusively on protections surrounding the host server. Consequently, the sessions themselves exist alone in the wild. They’re unsecured without endpoint protection in place – and once hackers get inside a session it’s already too late.

The hard truth about VDI security is that it doesn’t deter hackers. On the contrary, it attracts bad actors looking for an easy target.

Ways to Attack a Virtual Desktop

From a hacker’s perspective, virtual desktops are no different than their physical counterparts – any attack that works on one works on the other. That includes a whole arsenal of attacks: infostealers, banking Trojans, keyloggers, screen scraping, password recording, and many more. Virtual desktops may be distinct in terms of mobility and accessibility. In terms of security, however, they’re basically like all desktops: under attack from all sides.

To illustrate how agnostic hackers are when it comes to targeting desktops, consider zero-day attacks that leverage security flaws overlooked by developers. These flaws are the same regardless of whether an app is running on a physical or virtual desktop. Being virtual doesn’t provide any defense at all.

The same is true for phishing attacks – still one of the common and successful ways adversaries achieve Initial Access on a network. A malicious link included in a phishing email appears identical on a virtual or physical desktop. What happens after clicking the link might differ, but the point is that new technology like VDI doesn’t provide immunity or even modest protection against cyberattacks – including those that have existed for decades.

If a VDI session is compromised, it can expose an organization to variety of threats like malware, insider threats and ransomware. 

A Realistic Approach to VDI Security

Understanding the flaws in VDI security is an important first step, but the hard work comes next: securing every virtual session without inflating the number of resources dedicated to cybersecurity to an unsustainable level.

Realistically, that’s not possible. VDIs may face similar types of threats to physical desktops, but that doesn’t mean they have the same defensive posture. Updates to antivirus signature databases or machine learning algorithms can compromise VDI performance, creating a tension between the accessibility of virtual machines (their best feature) and the security they require in a dangerous digital environment. Additionally, deploying endpoint detection and response platforms risk network strain from constant telemetry collection and monitoring.

Fortunately, they don’t need them, necessarily. Automated Moving Target Defense (AMTD) takes an entirely new approach to VDI security. In the simplest terms possible, it doesn’t expect to stop all the possible techniques an adversary might leverage in their attack because that would be futile.

Instead, AMTD applies evasive maneuvers to the application memory, preventing many of the tactics required to achieve goals such as Initial Access, Lateral Movement, Privilege Escalation, and more. Not only is this approach more effective than existing methods of VDI security, but it’s also more efficient too.

Stopping Undetectable Attacks with Preemptive Cyber Defense 

Traditional detection-based approaches can’t stop undetectable attacks targeting VDI. Until recently, true threat prevention has been hard to achieve. As security leaders look to adopt holistic and progressive cyber strategies they’re turning to preemptive cyber defense — an approach underpinned by the ability to anticipate and act against potential threats before they occur. Gartner recognizes AMTD as an innovative technology that enables preemptive cyber defense. 

Powered by AMTD, Morphisec’s Anti-Ransomware Assurance Suite offers a flexible, layered approach with Adaptive Exposure Management, Infiltration Protection, Impact Protection and Incident Response Services. 

If you rely on VDI (especially to enable remote work), it’s time to consider preemptive cyber defense to protect your infrastructure from ever-evolving and sophisticated threats. hs-cta-img-35ad0651-c517-400e-af92-9b5daa1cd6c7

hs-cta-img-c0c8d819-c7bc-43c9-a80b-7db9c88cd5ab

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.

Stay up-to-date

Get the latest resources, news, and threat research delivered to your inbox.