Attackers use novel technique, malware to compromise hypervisors and virtual machines

2022-09-30 13:13

Unknown attackers wielding novel specialized malware have managed to compromise VMware ESXi hypervisors and guest Linux and Windows virtual machines, Mandiant threat analysts have discovered.

VirtualGATE is a utility program that incorporates a memory-only dropper and a payload that can run commands from a hypervisor host on a guest virtual machine, or between guest virtual machines on the same hypervisor host.

"VMware VIBs are collections of files that are designed to facilitate software distribution and virtual system management. Since ESXi utilizes an in-memory filesystem, file edits are not saved across reboots," Mandiant researchers explained.

VIBs can be created by VMware, VMware partners, or the community.

"Mandiant has brought to our attention a new variant of malware targeting vSphere, which was discovered in an environment where threat actors may have used operational security weaknesses to compromise a mutual customer," VMware shared on Thursday, in response to Mandiant's report.

"While we noted the technique used [this group] requires a deeper level of understanding of the ESXi operating system and VMWare's virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities," they added.

News URL

https://www.helpnetsecurity.com/2022/09/30/compromise-hypervisors-virtual-machines/

#compromise #hypervisors #malware #virtual