Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Google

Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying (wired.com) 32

For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice. From a report: For decades, virtualization software has offered a way to vastly multiply computers' efficiency, hosting entire collections of computers as "virtual machines" on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical "hyperjacking" and "Blue Pill" attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of "hyperjacking" attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware's virtualization software on multiple targets' networks as part of an apparent espionage campaign. By planting their own code in victims' so-called hypervisors --VMware software that runs on a physical computer to manage all the virtual machines it hosts -- the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim's virtual machines, the hackers' trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

"The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge," says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only "side effects" of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system. Mandiant discovered the hackers earlier this year and brought their techniques to VMware's attention. Researchers say they've seen the group carry out their virtualization hacking -- a technique historically dubbed hyperjacking in a reference to "hypervisor hijacking" -- in fewer than 10 victims' networks across North America and Asia. Mandiant notes that the hackers, which haven't been identified as any known group, appear to be tied to China.

This discussion has been archived. No new comments can be posted.

Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying

Comments Filter:
  • by Anonymous Coward
    As usual, summary and article both are heavy on hyperbole and light on details.

    What kind of backdoors? Using what exploits as infection vectors?

    I guess we don't need to know. Perish the thought that we might want to harden our own infrastructure against this kind of attack.
    • Research! If you're working with *real* VMWare ESXi and not some freebie garbage, then you would presumably be receiving communications from VMWare about this, no?

      WTF man, is everything supposed to be just handed over to you on a silver platter? Work for your goddamned paycheck!

      VMWare was never meant to be pushbutton phone-app simple, in the old days it took brains, and it still does!

      Fucking entitled little shits, I swear. This attitude of "gimmie the answers nao for free without work!!!" *really* steam

      • People like AC are trapped behind a wall of abstraction. They fail to grasp some fundamental aspect of understanding of the systems they administrator. This causes them to revert to thinking of solutions in terms of interaction with the user interface. "What do I click?"

        Then they post inane questions on user forums. It's a PITA, yes, but what can we do? Send them back to elementary tech school?

  • So apparently this is a vulnerability in VMware's hypervisor but not Microsoft's. The simple answer here is to patch the frickken VMware hypervisor vulnerability.
    • As a virtualization critic, I'd be happy to see virtualization vendors get a black eye from some successful side-channel or CPU cache problems out there. However, I'm not holding my breath. These articles always seem to imply that one day we are going to see a huge incident whereby zero-day is used to pwn all the servers of a specific type in just a few hours. I can't really remember anything spreading that dramatically except the Morris Worm. Odds are that they :will: just patch it and move on, just like y
      • As a virtualization critic

        What's wrong with virtualization? Hardware advancements have dramatically outpaced software needs. We used to have a server room full of a few dozen big, heavy, hot boxes - now we've got a grand total of three physical servers in there (and a lot of empty rack space).

        • Re:hypervisor issue (Score:4, Interesting)

          by tlhIngan ( 30335 ) <slashdot&worf,net> on Thursday September 29, 2022 @05:42PM (#62925303)

          What's wrong with virtualization? Hardware advancements have dramatically outpaced software needs. We used to have a server room full of a few dozen big, heavy, hot boxes - now we've got a grand total of three physical servers in there (and a lot of empty rack space).

          Maybe OP works for a PC manufacturer, or Intel or AMD?

          I too like virtualization - it lets me set up little Linux VMs that I can use to demonstrate things with (especially network things) which just have the required service installed and nothing else, making it easy to use and distribute.

          I have one where the sole purpose was to serve up a special webpage with a file, and you use SSH to put on an updated version of the file for testing. If necessary I can distribute the VM disk image around to people who need it who have difficulty configuring the stuff (it's all documented, but sometimes people still bang their head on things, so having a VM I can distribute freely makes life a lot easier).

          Also means I have a "clean machine" with just that service set up, so it's got nothing to do with what other crap I might be running or have installed.

          Another time I was dealing with a vendor who was supplying stuff to us encrypted. I set up a VM with all the necessary decryption software and keys so anyone who needed to deal with that supplier can use it to decrypt the files without having ot spend a few hours trying to figure out what exactly to do.

          Having one-off appliance VMs really makes life a lot simpler when trying to deal with issues.

        • Nothing is inherently wrong or bad about it. It's great for testing and can be very helpful in all kinds of scenarios, of course. My critique is mostly around the way big companies handle large virtualization environments. They create (sometimes massive) sprawl and often give the management a way to avoid addressing core issues in application design. As this article demonstrates, it's also not a security panacea, which some try to sell it as.
      • by tlhIngan ( 30335 )

        I'd be happy to see virtualization vendors get a black eye from some successful side-channel or CPU cache problems out there. However, I'm not holding my breath. These articles always seem to imply that one day we are going to see a huge incident whereby zero-day is used to pwn all the servers of a specific type in just a few hours.

        You mean like Spectre and Meltdown, which are the attacks you're describing and have been around for the past few years?

        The reason we don't see massive incidents is because res

        • You mean like Spectre and Meltdown, which are the attacks you're describing and have been around for the past few years?

          Yes, that is what I mean. Just because they've been around a while doesn't mean they have resulted in much significant exploit activity. In fact, I've been pretty surprised how little folks have actually made from these exploits despite all the panicky jumping up and down the last few years. I did an audit for a customer recently and their servers had basically zero mitigation against any of these types of attacks and their sites have been up for years with no OS mitigation, no microcode updates. They run S

    • Re:hypervisor issue (Score:5, Informative)

      by EvilSS ( 557649 ) on Thursday September 29, 2022 @03:59PM (#62925033)
      Reading the blog post by Mandiant, it sounds they exploited compromised admin credentials and not a VMWare vulnerability. If that is the case, then VMWare is probably being targeted because they have a much larger install base, and this may be a targeted attack where the attackers knew the companies used VMWare and not Hyper-V. Hyper-V is not immune to poor security practices and I can't think of a reason that a similar attack could not be targeted at Hyper-V if an attacker with the resources wanted to.

      Blog articles with more technical info than the summary gives: Part 1: https://www.mandiant.com/resou... [mandiant.com]
      Part 2: https://www.mandiant.com/resou... [mandiant.com]
      • Poor security segmentation of accounts likely too. Like do you have a separate domain for managing your Vcenter, admins with separate credentials from their standard user accounts? Many don't bother, it sits in the same vlan as production or edge users, the user the sysadmin runs daily for his email on workstation is the same users that is enterprise admin and vsphere admin. And then half of those guys use the same passwords for their luggage.

        Really the only story here is that someone is actually doi

    • Yeah, basically bad guys are hacking VM host servers because they found a vulnerability that lets them do so. This isn't exactly surprising or novel. It's like claiming that some Windows 11 hack is new and dangerous because (obviously) it didn't exist 5 years ago.

      I'm not saying this isn't a big security issue - just that no one should be particularly surprised

      And "hyper"-jacking? Give me a break. If someone attacks Apache web server are we gonna call it "webjacking" now?

    • I used to work in security assurance at a big company you have no choice but to trust. You can't patch any sandboxes the way we currently write code. Programs in the sandbox need to run programs or send data outside of the sandbox to talk to the real world. They send data to programs that run on the physical machine. The way everyone seems to write and do security patches is the first process to get the data from the sand box knows the data isn't to be trusted and usually will sanitize it so that the da
  • Friend of mine did a code review of the VMWare sources for a customer a long time ago. Found multiple real issues. These attackers are likely only the first to be careless enough to get caught...

    • by gweihir ( 88907 )

      Funny this gets modded down. I doubt there are paid shills on /., not enough exposure anymore. Probably just some morons suffering Stockholm Syndrome.

  • ftfy: Supertargets are getting pwned

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...