A previously undiscovered attack technique allows infiltration of VMware ESXi hypervisors. Unknown cybercriminals used the technique, in practice, to attack organizations. This is revealed by security company Mandiant in a new report.
VMware ESXi is one of the most used hypervisors in the world. A previously undiscovered attack technique makes hypervisor infiltration possible. Security company Mandiant discovered in April 2022 that the technique has been used by unknown cybercriminals to attack organizations. The report was recently published.
vSphere Installation Packages
The technique makes it possible to infiltrate a target's ESXi environment. Mandiant found the malware in "less than ten organizations". The scale of the problem appears limited, but appearances are deceiving. VMware ESXi is extremely popular and the method allows attackers to hijack an entire hypervisor. The potential damage is enormous.
An attacker needs management access to abuse the technique. Management access allows an attacker to deploy malicious vSphere installation packages (VIBs). The malware allows management access to VMware ESXi to be maintained even after a reboot. Attackers can send and execute commands to hypervisors in virtual machines (VMs), manipulate hypervisor logs, and exchange files between VMs.
VMware is not the cause
Mandiant has no evidence that the perpetrators of the discovered incident exploited a vulnerability in VMware ESXi to gain management access. Therefore, VMware is not the cause of the problem. VIBs are an important and legitimate part of ESXi. “Packages are typically used by administrators to deploy updates and maintain systems,” explained Mandiant. "However, the attackers used the packages to maintain access to the ESXi hypervisors."
The identity of cybercriminals is unknown. The report suggests that the technique has been used for multiple attacks in the past, but Mandiant does not know whether the perpetrator(s) belong to the same group or coalition. The organization calls the threat UNC3886. "Given the highly targeted and evasive nature of this intrusion, we suspect that UNC3886 is related to cyber espionage."
To prevent
In the investigation report, Mandiant outlines the technical details of the attack method. The organization claims that an attacker needs a lot of knowledge about ESXi and VMware to use the technique. However, Mandiant expects a wave of similar attacks in the near term.
The investigation report is public, it allows cybercriminals to imitate the method. So Mandiant has written a comprehensive blog on securing ESXi environments. Steps allow you to avoid similar attacks.
