Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying (wired.com) 32
For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice. From a report: For decades, virtualization software has offered a way to vastly multiply computers' efficiency, hosting entire collections of computers as "virtual machines" on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical "hyperjacking" and "Blue Pill" attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of "hyperjacking" attacks in the wild.
Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware's virtualization software on multiple targets' networks as part of an apparent espionage campaign. By planting their own code in victims' so-called hypervisors --VMware software that runs on a physical computer to manage all the virtual machines it hosts -- the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim's virtual machines, the hackers' trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.
"The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge," says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only "side effects" of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system. Mandiant discovered the hackers earlier this year and brought their techniques to VMware's attention. Researchers say they've seen the group carry out their virtualization hacking -- a technique historically dubbed hyperjacking in a reference to "hypervisor hijacking" -- in fewer than 10 victims' networks across North America and Asia. Mandiant notes that the hackers, which haven't been identified as any known group, appear to be tied to China.
Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware's virtualization software on multiple targets' networks as part of an apparent espionage campaign. By planting their own code in victims' so-called hypervisors --VMware software that runs on a physical computer to manage all the virtual machines it hosts -- the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim's virtual machines, the hackers' trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.
"The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge," says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only "side effects" of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system. Mandiant discovered the hackers earlier this year and brought their techniques to VMware's attention. Researchers say they've seen the group carry out their virtualization hacking -- a technique historically dubbed hyperjacking in a reference to "hypervisor hijacking" -- in fewer than 10 victims' networks across North America and Asia. Mandiant notes that the hackers, which haven't been identified as any known group, appear to be tied to China.
Details! (Score:1)
What kind of backdoors? Using what exploits as infection vectors?
I guess we don't need to know. Perish the thought that we might want to harden our own infrastructure against this kind of attack.
Re: (Score:2)
What don't you understand about that?
Re: (Score:2)
Re: (Score:2)
Sounds like there isn't even a new vulnerability present. Its just people backdooring VMWare servers once they already have ADMINISTRATIVE access.
Mind you there have been some NASTY VMWare CVEs that over the years even somewhat recently that have lead to code execution - but what were talking about here is just a new (but not at all surprising), and maybe not even really new at all they mentioned similarities to other malware in the article, persistence-kit. Probably persistence tools and techniques modify
Re: (Score:2)
I'd be kind of curious how persistence or process injection would work on a VMware hypervisor. The ESXi hypervisor code itself is pretty small and while derived from Linux, it's not a full-blown fat VM of its own (ESX 3.5 was). Getting it load random code execution modules which aren't hardware drivers and have privileged access to the the hypervisor itself seems pretty difficult, especially considering it only gives you access to the VMs on that host.
My money would be on hacks to vCenter -- the appliance
Re: (Score:2)
What about desktop versions of VMWare?
Re: (Score:1)
Research! If you're working with *real* VMWare ESXi and not some freebie garbage, then you would presumably be receiving communications from VMWare about this, no?
WTF man, is everything supposed to be just handed over to you on a silver platter? Work for your goddamned paycheck!
VMWare was never meant to be pushbutton phone-app simple, in the old days it took brains, and it still does!
Fucking entitled little shits, I swear. This attitude of "gimmie the answers nao for free without work!!!" *really* steam
Re: Details! (Score:2)
People like AC are trapped behind a wall of abstraction. They fail to grasp some fundamental aspect of understanding of the systems they administrator. This causes them to revert to thinking of solutions in terms of interaction with the user interface. "What do I click?"
Then they post inane questions on user forums. It's a PITA, yes, but what can we do? Send them back to elementary tech school?
hypervisor issue (Score:2)
Re: (Score:1)
Re: (Score:2)
As a virtualization critic
What's wrong with virtualization? Hardware advancements have dramatically outpaced software needs. We used to have a server room full of a few dozen big, heavy, hot boxes - now we've got a grand total of three physical servers in there (and a lot of empty rack space).
Re:hypervisor issue (Score:4, Interesting)
Maybe OP works for a PC manufacturer, or Intel or AMD?
I too like virtualization - it lets me set up little Linux VMs that I can use to demonstrate things with (especially network things) which just have the required service installed and nothing else, making it easy to use and distribute.
I have one where the sole purpose was to serve up a special webpage with a file, and you use SSH to put on an updated version of the file for testing. If necessary I can distribute the VM disk image around to people who need it who have difficulty configuring the stuff (it's all documented, but sometimes people still bang their head on things, so having a VM I can distribute freely makes life a lot easier).
Also means I have a "clean machine" with just that service set up, so it's got nothing to do with what other crap I might be running or have installed.
Another time I was dealing with a vendor who was supplying stuff to us encrypted. I set up a VM with all the necessary decryption software and keys so anyone who needed to deal with that supplier can use it to decrypt the files without having ot spend a few hours trying to figure out what exactly to do.
Having one-off appliance VMs really makes life a lot simpler when trying to deal with issues.
Re: (Score:1)
Re: (Score:2)
You mean like Spectre and Meltdown, which are the attacks you're describing and have been around for the past few years?
The reason we don't see massive incidents is because res
Re: (Score:1)
You mean like Spectre and Meltdown, which are the attacks you're describing and have been around for the past few years?
Yes, that is what I mean. Just because they've been around a while doesn't mean they have resulted in much significant exploit activity. In fact, I've been pretty surprised how little folks have actually made from these exploits despite all the panicky jumping up and down the last few years. I did an audit for a customer recently and their servers had basically zero mitigation against any of these types of attacks and their sites have been up for years with no OS mitigation, no microcode updates. They run S
Re:hypervisor issue (Score:5, Informative)
Blog articles with more technical info than the summary gives: Part 1: https://www.mandiant.com/resou... [mandiant.com]
Part 2: https://www.mandiant.com/resou... [mandiant.com]
Re: (Score:2)
Poor security segmentation of accounts likely too. Like do you have a separate domain for managing your Vcenter, admins with separate credentials from their standard user accounts? Many don't bother, it sits in the same vlan as production or edge users, the user the sysadmin runs daily for his email on workstation is the same users that is enterprise admin and vsphere admin. And then half of those guys use the same passwords for their luggage.
Really the only story here is that someone is actually doi
Re: (Score:2)
Yeah, basically bad guys are hacking VM host servers because they found a vulnerability that lets them do so. This isn't exactly surprising or novel. It's like claiming that some Windows 11 hack is new and dangerous because (obviously) it didn't exist 5 years ago.
I'm not saying this isn't a big security issue - just that no one should be particularly surprised
And "hyper"-jacking? Give me a break. If someone attacks Apache web server are we gonna call it "webjacking" now?
You can't just patch the hypervisor (Score:2)
Re: (Score:2)
shouldn't matter if it's a VM or a physical box
Physical boxes cost money. So somebody has to sign some purchase reqs. Then they get asset tags. So they can be audited by people walking through the data center with a clipboard or barcode scanner. And every once in a while, someone decides to see how much capital the company has tied up in servers, racks and all the ancillary HVAC and UPS equipment supporting it. So they ask questions.
If it's a bunch of VMs on one blade, nobody is quite sure how many. Someone has to go bug the BOFH to log on to the hyper
Re: (Score:1)
Re: (Score:2)
Does that really still happen? I remember that back in the 2005-2010 era or so when virtualization kind 'grew up' from VMWare server that never scaled well to esx/vcenter and competitors and people started attaching real SAN storage to them heavy IO capability and Nehalem Xeons on blade servers started to make the density worthwhile.
However it seems to me infosec side of the house started to do serious patch auditing and became empowered to insist everything got patched or someone took responsibility for t
Re: (Score:2)
However it seems to me infosec side of the house started to do serious patch auditing and became empowered to insist everything got patched or someone took responsibility for the variance.
It happened just like you say at a lot of places. However, as a consultant I can tell you that it definitely did NOT happen in many cases, too. I still see a lot of 4.x ESX boxes in 2022. One problem is how the vendors started moving to subscription-based licenses for everything. What happened is that clients who were not flush with cash didn't want to pay to upgrade and eventually patches stopped coming. All this stuff is firewalled so people don't worry about it that much, but heaven forbid someone compro
Likely not the first such attack (Score:1, Interesting)
Friend of mine did a code review of the VMWare sources for a customer a long time ago. Found multiple real issues. These attackers are likely only the first to be careless enough to get caught...
Re: (Score:2)
Funny this gets modded down. I doubt there are paid shills on /., not enough exposure anymore. Probably just some morons suffering Stockholm Syndrome.
ftfy: Supertargets are getting pwned (Score:1)