My cyberattack hell: How a ‘VM threat’ spiralled into exec’s worst nightmare

The vital steps to take when your company is hit by a cyberattack – and why you should NEVER disconnect

As Ginni Rometty, former CEO of IBM, once quipped, cybercrime is the single biggest threat to every company on Earth. And billionaire businessman Warren Buffett went even further, adding that cyberattacks are the number one problem facing mankind – even worse than nuclear weapons.

For every advancement AI and cyber gives organizations and society at large, it offers that same “leg up” to fraudsters – criminals who are becoming increasingly more sophisticated in their crimes. And when it comes to cyber risks in virtual environments, such as virtual machines (VMs), these threats are often buried deep in systems that most organizations overlook.

In a recent interview with Insurance Business, Jack Brooks, head of Hackbusters and virtual Chief Information Security Officer (vCISO) at BOXX Insurance, was unambiguous about the challenge: companies are focusing on the wrong layers of their infrastructure, leaving foundational components vulnerable to silent, catastrophic breaches.

“There’s a number of ways that [VMs] can be compromised,” Brooks explained. “Where a VM or a virtual machine is different than a regular server… you also need an underlying VM operating system – such as VMware.”

Many organizations assume their security measures are sufficient because their virtual machines appear normal on the surface. That assumption can be costly. As Brooks clarified, there are two different places where an attacker can compromise a VM. If the attacker targets a specific virtual machine, the warning signs can be familiar – you’ll see things such as files being modified or encrypted and a high resource utilization on those servers.

But the more serious compromise – one targeting the host operating system – is far stealthier.

“What we’ve seen when the virtual machine host or operating system is compromised,” Brooks added, “a lot of that high utilization, or your typical indicators, are masked.” Because the host OS isn’t directly used or closely monitored by most teams, standard alerts don’t fire, and anomalies go undetected.

That lack of visibility becomes even more dangerous when paired with basic maintenance failures.

“We’ve seen cases where the host operating system has been compromised because patching hasn’t been performed,” Brooks added.

VM host operating systems frequently remain unpatched due to a mix of operational, organizational, and psychological barriers. Patching typically requires a reboot, which means taking all hosted VMs offline – a disruptive and often unacceptable trade-off for uptime-sensitive environments.

Ownership ambiguity also plays a role. As Books explained, it’s not always clear who is responsible for those updates – IT, the application team, the cloud provider, or an MSP. This leads to assumptions and inaction. Without a centralized patch management strategy, updates are often left to manual processes, increasing the chance they’ll be delayed or forgotten.

Fear is another factor. Updates can create situations where systems stop working properly, Brooks told IB – describing a common ‘if it ain’t broke, don’t fix it’ mentality. In many cases, teams rely on VM snapshots as a safety net, but this can breed complacency. And because host OSs typically require little day-to-day interaction, they often fall out of sight and off the priority list.

And all of these threatening possibilities sadly materialized recently for a quartet of CEO sisters who own a Canadian wellness organization[1], when their VM system was hacked by an outside threat.

Hatice Demir, head of IT and the tech-minded middle sister, was known for being meticulous. She made sure backups existed in two places, ran regular system checks, and trained her team to be vigilant. Hatice’s team never missed a Windows update on their physical machines – but they missed patching the virtual machine’s operating system. It’s a common blind spot that allowed hackers to quietly exploit the unpatched virtual machine.

Hatice’s team noticed strange activity and tried to contain the breach on their own, but the attackers proved stubborn and elusive. When it became clear they couldn’t solve the threat on their own, the sisters reached out to BOXX Insurance and Brooks – BOXX’s Virtual Chief Insurance Security Officer – did the rest. The Hackbusters got to work. They secured the network, kicked the attackers out, and started recovery. Within 36 hours, they had 80% of the wellness company’s operations back online.

And the sisters’ response was exactly what Brooks would recommend. As Brooks told IB, to address any VM risks, organizations should:

• Maintain an up-to-date inventory of all VMs and host OSs, with clear ownership assignments.
• Run vulnerability scans that include host systems.
• Use centralized, automated patching solutions with escalation alerts.
• Create dedicated patch windows and enforce exception approvals at a senior level.
• Establish governance mechanisms that track patching and flag any gaps.

For organizations which think they’re immune to attacks, Brooks offers a stark warning. “No matter how sure or safe you think your systems are, take the extra precaution – it can save a lot of pain and suffering.”