VMware virtualization software is being hijacked to spy on businesses

News
By Sead Fadilpašić
published

VMware’s ESXi hypervisors compromised, researchers warn

Inside Facebook data center
(Image credit: Facebook)

Criminals have managed to compromise VMware’s ESXi hypervisors and gain access to countless virtual machines, meaning they can spy on numerous businesses using the hardware without those businesses ever knowing they’re being spied upon.

The warning was given out by cyber threat intelligence firm Mandiant, together with virtualization firm VMware. 

According to the two companies, unknown threat actors with possible ties to China, installed two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles. They named them VirtualPita and VirtualPie (“Pita” also means “pie” in some Slavic languages). Furthermore, they discovered a unique malware/dropper dubbed VirtualGate.

No vulnerability

What’s important to note is that the attackers did not find a zero-day, or exploit a different, known vulnerability. Instead, they used admin-level access to the ESXi hypervisors to install their tools. 

Speaking to WIRED, VMware said that “while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.”

VMware also said it prepared a “hardening” guide for VMware setup admins, that should help them protect against this type of attack. 

Read more

> Is it time to give KVM hypervisor a go?

> Citrix confirms its VM software will run Windows 11, eventually

We've rounded up the best virtual desktop services around

The threat actor is tracked as UNC3886. The researchers are saying that while it does show some signs of being a Chinese-based group (the victims are the same as for some other Chinese groups; there are certain similarities in the malware code and other known malicious programs), they can’t confirm, with absolute certainty, that that is the case. 

The attack allows the threat actors to maintain persistent admin access to the hypervisor, send commands to the endpoint that will be routed to the guest VM for execution, steal files between the ESXi hypervisor and guest machines running underneath it, make changes to the logging services on the hypervisor, and execute arbitrary commands from one guest VM to another guest VM, as long as they’re on the same hypervisor.

Via: Wired

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.