Criminals have managed to compromise VMware's ESXi hypervisors and gain access to countless virtual machines, which means they can spy on many companies using the hardware without those companies knowing they are being spied on.
The warning was issued by cyber threat intelligence firm Mandiant, in conjunction with virtualization company VMware.
According to the two companies, unknown hackers with possible ties to China installed two malware programs on bare metal hypervisors, using vSphere installation packages. They called them VirtualPita and VirtualPie ("Pita" also means "pie" in some Slavic languages). Also, they discovered a unique malware/dropper called VirtualGate.
no vulnerability
Importantly, the attackers did not find a zero-day vulnerability or exploit any other known vulnerabilities. Instead, they used administrator-level access to the ESXi hypervisors to install their tools.
Speaking with WIRED, VMware said that "while there are no VMware vulnerabilities involved, we emphasize the need for strong operational security practices including secure credential management and network security."
VMware also said it has prepared a "hardening" guide for VMware configuration administrators that should help protect them against this type of attack.
The threat actor is tracked as UNC3886. The researchers say that although it shows signs of belonging to a group based in China (the victims are the same as for some other Chinese groups; there are some similarities in the malicious code (opens in a new tab) and other known malware). , cannot confirm with absolute certainty that this is the case.
The attack allows threat actors to maintain persistent admin access to the hypervisor, send commands to the endpoint (opens in a new tab) that will be routed to the guest VM for execution, steal files between the ESXi hypervisor and machines guests running under it, make changes to registry services in the hypervisor, and execute arbitrary commands from one guest VM to another guest VM, as long as they are on the same hypervisor.
Via: Wired (Opens in a new tab)