Unknown attackers wielding novel specialized malware have managed to compromise VMware ESXi hypervisors and guest Linux and Windows virtual machines, Mandiant threat analysts have discovered.
They named the malware VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), and shared detection and hardening advice.
The malware and techniques used by the attackers
VirtualPITA and VirtualPIE are backdoors, which the attackers deliver by using malicious vSphere Installation Bundles (VIBs).
VirtualGATE is a utility program that incorporates a memory-only dropper and a payload that can run commands from a hypervisor host on a guest virtual machine, or between guest virtual machines on the same hypervisor host.
“VMware VIBs are collections of files that are designed to facilitate software distribution and virtual system management. Since ESXi utilizes an in-memory filesystem, file edits are not saved across reboots,” Mandiant researchers explained.
“A VIB package can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine. These packages are generally utilized by administrators to deploy updates and maintain systems; however, this attacker was seen leveraging the packages as a persistence mechanism to maintain access across ESXi hypervisors.”
VIBs can be created by VMware, VMware partners, or the community. The latter are not generally accepted by blindly by VMware ESXi hosts, as they have not been tested.
But by modifying the XML descriptor file in the VIBs, the attackers managed to make the malicious VIBs look like they were created by a partner. Then, by changing the –force flag, they succeeded in to make the hypervisor ignore systems acceptance level requirements when installing the VIB.
“Mandiant has brought to our attention a new variant of malware targeting vSphere, which was discovered in an environment where threat actors may have used operational security weaknesses to compromise a mutual customer,” VMware shared on Thursday, in response to Mandiant’s report.
The company also made sure to note that there is no evidence that a vulnerability in a VMware product was exploited to gain access to ESXi during Mandiant’s investigations. Also, that an attacker must first obtain root privileges on an ESXi host if they want to install a malicious VIB.
There is, therefore, no vulnerability to patch, but VMware urges admins to harden their VMware vSphere installations and to enable the Secure Boot feature in ESXi. They have also released a PowerCLI script defenders can use to find unsigned VIBs on their ESXi hosts.
Mandiant researchers says that whoever is behind these intrusions seems bent on cyber espionage, not cybercrime.
“While we noted the technique used [this group] requires a deeper level of understanding of the ESXi operating system and VMWare’s virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities,” they added.