Criminals have managed to compromise VMware’s ESXi hypervisors and gain access to countless virtual machines, meaning they can spy on numerous businesses using the hardware without those businesses ever knowing they’re being spied upon.
The warning was given out by cyber threat intelligence firm Mandiant, together with virtualization firm VMware.
According to the two companies, unknown threat actors with possible ties to China, installed two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles. They named them VirtualPita and VirtualPie (“Pita” also means “pie” in some Slavic languages). Furthermore, they discovered a unique malware/dropper dubbed VirtualGate.
What’s important to note is that the attackers did not find a zero-day, or exploit a different, known vulnerability. Instead, they used admin-level access to the ESXi hypervisors to install their tools.
Speaking to WIRED, VMware said that “while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.”
VMware also said it prepared a “hardening” guide for VMware setup admins, that should help them protect against this type of attack.
The threat actor is tracked as UNC3886. The researchers are saying that while it does show some signs of being a Chinese-based group (the victims are the same as for some other Chinese groups; there are certain similarities in the malware (opens in new tab) code and other known malicious programs), they can’t confirm, with absolute certainty, that that is the case.
The attack allows the threat actors to maintain persistent admin access to the hypervisor, send commands to the endpoint (opens in new tab) that will be routed to the guest VM for execution, steal files between the ESXi hypervisor and guest machines running underneath it, make changes to the logging services on the hypervisor, and execute arbitrary commands from one guest VM to another guest VM, as long as they’re on the same hypervisor.
Via: Wired (opens in new tab)