Home Security New Malware Households Discovered Concentrating on VMware ESXi Hypervisors

New Malware Households Discovered Concentrating on VMware ESXi Hypervisors

by crpt os


Threat actors have been found deploying never-before-seen post-compromise implants in VMware’s virtualization software to seize control of infected systems and evade detection.

Google’s Mandiant threat intelligence division referred to it as a “novel malware ecosystem” that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the hypervisor as well as execute arbitrary commands.

The hyperjacking attacks, per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles (VIBs) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors.

CyberSecurity

“It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware,” Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhaustive two-part report.

There is no evidence that a zero-day vulnerability was exploited to gain access to ESXi servers. That said, the use of trojanized VIBs, a software package format used to facilitate software distribution and virtual machine management, points to a new level of sophistication.

VMware ESXi Hypervisors

“This malware differs in that it supports remaining both persistent and covert, which is consistent with the goals of larger threat actors and APT groups who target strategic institutions with the intention of dwelling undetected for some time,” VMware disclosed.

While VIRTUALPITA comes with capabilities to execute commands as well as carry out file upload and download, VIRTUALPIE is a Python backdoor with support for command line execution, file transfer, and reverse shell features.

CyberSecurity

Also uncovered is a malware sample called VIRTUALGATE in Windows guest virtual machines, which is a C-based utility program that executes an embedded payload capable of using VMware’s virtual machine communication interface (VMCI) sockets to run commands on a guest virtual machine from a hypervisor host.

Mandiant also warned that the campaign’s techniques to get around traditional security controls by exploiting virtualization software represent a new attack surface that’s likely to be picked up by other hacker groups.

The attacks have been attributed to an uncategorized, emerging threat cluster codenamed UNC3886, whose motivation is likely to be espionage-driven considering the highly targeted nature of the intrusions. It further assessed with low confidence that UNC3886 has a China-nexus.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex