VMware virtualization software is being hijacked to spy on businesses
>
Criminals have managed to compromise VMware’s ESXi hypervisors and gain access to countless virtual machines, meaning they can spy on countless companies using the hardware without those companies ever knowing they are being spied on.
The warning was issued by cyber threat intelligence firm Mandiant, along with virtualization firm VMware.
According to the two companies, unknown threat actors with possible ties to China have installed two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles. They called them VirtualPita and VirtualPie (“Pita” also means “pie” in some Slavic languages). In addition, they discovered a unique malware/dropper called VirtualGate.
No vulnerability
It is important to note that the attackers did not find a zero-day or exploit any other known vulnerability. Instead, they used administrator-level access to the ESXi hypervisors to install their tools.
Speak with WIREDVMware said that “While there is no question of a VMware vulnerability, we emphasize the need for strong operational security practices, including secure credential management and network security.”
VMware also said it has prepared a “hardening” guide for VMware installation administrators that should help protect them from this type of attack.
The threat actor is tracked as UNC3886. The researchers say that while it shows some signs of being a China-based group (the victims are the same as some other Chinese groups; there are certain similarities in the malware (opens in new tab) code and other known malicious programs), they cannot confirm with absolute certainty that this is the case.
The attack allows the threat actors to maintain persistent admin access to the hypervisor, send commands to the endpoint (opens in new tab) that are routed to the guest VM for execution, steal files between the ESXi hypervisor and the guest machines running under it, make changes to the logging services on the hypervisor, and execute arbitrary commands from one guest VM to another guest VM, as long as they are on the same hypervisor.
Through: wired (opens in new tab)