Novel malware discovered targeting VMware SXi hypervisors.

Mandiant has released two blog posts detailing novel malware that targets VMware ESXi, Linux vCenter servers, and Windows virtual machines.

Hypervisor exploitation.

In the first blog, researchers say that the malware ecosystem enables threat actors to do the following:

• “Maintain persistent administrative access to the hypervisor;
• “Send commands to the hypervisor that will be routed to the guest VM for execution;
• “Transfer files between the ESXi hypervisor and guest machines running beneath it;
• “Tamper with logging services on the hypervisor;
• “Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.”

Mandiant identified a novel technique in which threat actors leveraged malicious vSphere Installation Bundles (VIBs) to install backdoors they’ve called “VIRTUALPITA” and “VIRTUALPIE” on the ESXi hypervisors. Mandiant notes that the threat actors need admin-level privileges to the ESXi hypervisor before malware can be deployed, and said that this is not an external remote code execution vulnerability, and that there is no evidence of a zero-day vulnerability that gives the malicious actors access.

Hardening the hypervisor.

The second blog details other attacker actions, describes ESXi detection methodologies, and discusses how to further harden hypervisors.

Mandiant has attributed this malware to UNC3886, suspecting that the motivation is cyber espionage, with a possible connection to China.

“While we are aware of less than 10 organizations where this malware was deployed, we anticipate more organizations will discover compromised VMware infrastructure in their environments as a result of this published threat intelligence. Most organizations do not have an efficient way to hunt for and identify threats on VMware hypervisors given the lack of EDR support. This is why Mandiant and VMware have collaborated and provided hardening guidance to organizations. It is critical for organizations to address this threat, as we anticipate other threat actors will develop similar malware capabilities over time,” said Mandiant Consulting CTO, Charles Carmakal.

VMware guidance.

VMware has also released guidance following the discovery of the malware. Manish Gaur, head of product security at VMware, said, “VMware worked closely with Mandiant to understand this specialized malware so we could quickly arm our customers with the guidance they need to secure their vSphere environments and mitigate. While there is no VMware vulnerability involved, we are highlighting the need for strong Operational Security practices that include secure credential management and network security, in addition to following VMware’s hardening guidelines for virtual infrastructure.”