CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Hackers Possibly From China Using New Method to Deploy Persistent ESXi Backdoors

Hackers possibly from China have been using a new technique to install persistent backdoors in VMware ESXi hypervisors, giving them significant capabilities while making detection more difficult.

Hackers possibly from China have been using a new technique to install persistent backdoors in VMware ESXi hypervisors, giving them significant capabilities while making detection more difficult.

The new technique, spotted by Mandiant in April, involves using malicious vSphere Installation Bundles (VIBs). A VIB is a collection of files packaged into a single archive to facilitate distribution — they are similar to a tarball or ZIP archive.

VIB packages can be used to create startup tasks, custom firewall rules, or to deploy custom binaries when an ESXi machine is rebooted. Administrators typically use these packages to maintain systems and deploy updates, but it appears that malicious actors have found a way to abuse them.

The attackers observed by Mandiant have used malicious VIBs to install two backdoors on ESXi hypervisors. These pieces of malware, named VirtualPita and VirtualPie by Mandiant, allow arbitrary command execution, file transfers, and the ability to initiate reverse shells.

According to Mandiant, this new ‘malware ecosystem’ affects VMware ESXi, Linux vCenter servers, and Windows virtual machines (VMs). The Windows malware is tracked as VirtualGate.

The attackers are capable of maintaining persistent admin access to a hypervisor even across restarts, send commands that are routed to the guest VM for execution, transfer files between the hypervisor and guest machines, and execute arbitrary commands from one guest VM to another guest VM on the same hypervisor. In addition, the hackers can also tamper with logging services on the hypervisor.

The company pointed out that the attack does not appear to involve exploitation of a known or zero-day vulnerability in VMware products for initial access or to deploy the malicious VIBs. In addition, the attacker needs to obtain admin-level privileges to the ESXi hypervisor before they can deploy the malware.

The cybersecurity firm has been tracking this activity as UNC3886 and believes a group of cyberspies may be behind it considering that less than 10 victims have been identified so far.

Advertisement. Scroll to continue reading.

“Given the highly targeted and evasive nature of this intrusion, we suspect UNC3886 motivation to be cyber espionage related. Additionally, we assess with low confidence that UNC3886 has a China-nexus,” Mandiant said.

VMware has been informed about these attacks and the company has released guidance for securing vSphere environments against such threats.

“While there is no VMware vulnerability involved, we are highlighting the need for strong Operational Security practices that include secure credential management and network security, in addition to following VMware’s hardening guidelines for virtual infrastructure,” said Manish Gaur, head of product security at VMware.

Mandiant believes other threat actors will also develop similar capabilities in the future. In addition, the company anticipates that more victims will come to light once organizations start checking their systems for the indicators of compromise (IoC) it has made available.

“As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain advanced state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers. This increases the difficulty for organizations to detect malicious attacker activity,” said Mandiant Consulting CTO Charles Carmakal.

Related: Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps

Related: New Cross-Platform ‘Luna’ Ransomware Only Offered to Russian Affiliates

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.