According to the security firm, a threat actor headquartered in China utilized tainted vSphere Installation Bundles to plant multiple backdoors in targeted computers.
VMware published urgent new mitigation measures and advice for customers of its vSphere virtualized technology on September 29th. The move aimed to respond to a revelation from Mandiant that a Chinese threat actor was utilizing a new technique to install multiple persistent backdoors on ESXi hypervisors.
Malicious vSphere Installation Bundles (VIBs) are used by the malicious attacker UNC3886, which Mandiant has been tracking, to infiltrate victim systems. For this, the attackers needed complete control over the ESXi hypervisor. However, Mandiant found no indication whether any VMware product vulnerabilities were exploited during malware deployment.
The Malicious Capabilities
Mandiant calls the backdoors VIRTUALPIE and VIRTUALPITA, allowing attackers to do various destructive actions. They have varying possibilities like executing arbitrary commands between VM guests on the same hypervisor, persistent admin access to the ESXi hypervisor; transferring files between guest machines and the ESXi hypervisor; sending malicious commands to the guest VM via the hypervisor; and tampering with logging services.
According to Alex Marvi, a security consultant at Mandiant, ” an attacker can use the malware ecosystem remotely to access a hypervisor and submit arbitrary commands that would be executed on a guest virtual machine.”
According to Marvi, Mandiant saw a second Python script that observed the guest system and listed the operations to be executed.
Only about ten businesses, according to Mandiant’s estimates, had their ESXi hypervisors compromised by the threat actors. However, the security vendor warned that more incidents are likely to occur because “while we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMware’s virtualization platform.” They expect other threat actors to use the report’s information to build similar capabilities.
The Trick of the New Tactic
VMwareCertified VIBs are evaluated and signed by VMware; VMware partners sign VMwareAccepted VIBs. CommunitySupported VIBs are established by individuals or partners outside the VMware partner program. VMware hasn’t tested or endorsed community-supported VIBs.
Mandiant assigns three acceptance ratings to ESXi images. The security supplier said extra VIBs must have the same or higher approval level. Thus, this ensures that non-supported VIBs aren’t blended into ESXi images.
VMware’s minimum VIB acceptance level is PartnerSupported. Mandiant says administrators can manually alter a profile’s minimum acceptance level when deploying a VIB.
Security Operational Lapse
VMware denied the situation constituted a security flaw. She explains that the firm recommends Secure Boot since it blocks the force command. Besides, she says that Secure Boot needs a second layer of security to disable the force command because the attacker has root access to ESXi.
She also notes that firms have tools to detect altered VIBs. VMware stated in a blog post that the attacks were likely caused by operational security flaws at the victim companies. The organization outlined steps businesses can take to prevent VIB abuse and other concerns.
VMware recommends Secure Boot, TPM, and Host Attestation to check software drivers and other components. VMware indicated that when Secure Boot is enabled, attackers won’t be able to install unsigned and weakly signed VIBs (even with the —force argument, as noted in the article).
VMware recommends that businesses use VMware Carbon Black Endpoint and the VMware NSX suite to secure their workloads and impose strict patching and life-cycle management procedures.
Mandiant posted a second blog post on September 29th on identifying similar dangers and securing ESXi deployments. Security measures include shutting down unsecured networks, controlling access, and managing services well.