Hackers Are Hypervisor Hijacking in the wild now

For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

“The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

[…]

In a technical writeup, Mandiant describes how the hackers corrupted victims’ virtualization setups by installing a malicious version of VMware’s software installation bundle to replace the legitimate version. That allowed them to hide two different backdoors, which Mandiant calls VirtualPita and VirtualPie, in VMware’s hypervisor program known as ESXi. Those backdoors let the hackers surveil and run their own commands on virtual machines managed by the infected hypervisor. Mandiant notes that the hackers didn’t actually exploit any patchable vulnerability in VMware’s software, but instead used administrator-level access to the ESXi hypervisors to plant their spy tools. That admin access suggests that their virtualization hacking served as a persistence technique, allowing them to hide their espionage more effectively long-term after gaining initial access to the victims’ network through other means.

[…]

Source: Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying | WIRED

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com