An unknown threat actor is going after VMware virtual systems to widely spread malware across multiple servers, Windows and Linux administrators are being warned.
The warning comes from Mandiant, which has discovered a novel malware ecosystem being leveraged to hit VMware ESXi, Linux vCenter servers, and Windows virtual machines by adding malicious VMware vSphere Installation Bundles (VIBs) that install multiple backdoors on the ESXi hypervisors.
However, the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware. So far Mandiant has no evidence of a zero-day vulnerability being used to gain initial access or deploy the malicious VIBs.
As a result, Mandiant and VMware are urging administrators to lock down their ESXi hypervisors by doing the following:
— when configuring networking on the ESXi hosts, only enable VMkernel network adapters on the isolated management network. Ensure that all dependent technologies such as vSANs and backup systems that the virtualization infrastructure will use are available on this isolated network;
— consider decoupling ESXi and vCenter Servers from Active Directory and use vCenter Single Sign-On. Removing ESXi and vCenter from Active Directory will prevent any compromised Active Directory accounts from being used to authenticate directly to the virtualization infrastructure;
— implement lockdown mode. This ensures that ESXi hosts can only be accessed through a vCenter Server, disables some services, and restricts some services to certain defined users;
— ensure all ESXi host and vCenter Server logs are being forwarded to the organization’s SIEM (security information and event management) solution
More detail from Mandiant on hardening ESXi can be found here.
Mandiant suspects the new form of attack is one of the ways state-sponsored threat actors are trying to avoid systems with endpoint detection and response (EDR) solutions, because of their improved malware detection on Windows systems. These tactics include attacking network appliances, SAN arrays and, now, VMware ESXi servers.
Taking over a hypervisor allows a hacker to send commands that will be routed to the guest virtual machine for execution, transfer files between the ESXi hypervisor and guest machines running beneath it, tamper with logging services on the hypervisor and execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.
The vehicles this particular threat actor is using, malicious vSphere Installation Bundles, are collections of files designed to facilitate software distribution and virtual system management. Since ESXi utilizes an in-memory file system, Mandiant notes, file edits are not saved across reboots. A VIB package can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine. These packages are generally utilized by administrators to deploy updates and maintain systems. This attacker is leveraging the packages as a persistence mechanism to maintain access across ESXi hypervisors.
One backdoor, which Mandiant calls VIRTUALPITA, is a 64-bit passive backdoor that creates a listener on a hardcoded port number on a VMware ESXi server. It often utilizes VMware service names and ports to masquerade as a legitimate service. There are Windows and Linux versions.
The other backdoor, which Mandiant calls VIRTUALPIE, is a lightweight backdoor written in Python that spawns a daemonized IPv6 listener on a hardcoded port on a VMware ESXi server.
There is also a piece of Windows malware Mandiant calls VIRTUALGATE, a utility program written in C that includes a dropper and the payload. The memory-only dropper deobfuscates a second stage DLL payload that uses VMware’s virtual machine communication interface (VMCI) sockets to run commands on a guest virtual machine from a hypervisor host, or between guest virtual machines on the same host.
Among other things Mandiant has seen this attacker do is target a virtualized system for credential harvesting, using Windows’ MiniDump capability to dump process memory and search for cleartext credentials. The attacker also targeted password database files held in the open-source KeyPass password manager.