VMware virtualization software is being hijacked to spy on businesses

VMware’s ESXi hypervisors compromised, researchers warn

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Criminals have managed to compromise VMware’s ESXi hypervisors and gain access to countlessvirtual machines, meaning they can spy on numerous businesses using the hardware without those businesses ever knowing they’re being spied upon.

The warning was given out by cyber threat intelligence firm Mandiant, together with virtualization firm VMware.

According to the two companies, unknown threat actors with possible ties to China, installed two malicious programs on bare-metal hypervisors, using vSphere Installation Bundles. They named them VirtualPita and VirtualPie (“Pita” also means “pie” in some Slavic languages). Furthermore, they discovered a unique malware/dropper dubbed VirtualGate.

No vulnerability

What’s important to note is that the attackers did not find a zero-day, or exploit a different, known vulnerability. Instead, they used admin-level access to the ESXi hypervisors to install their tools.

Speaking toWIRED, VMware said that “while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.”

VMware also said it prepared a “hardening” guide for VMware setup admins, that should help them protect against this type of attack.

Is it time to give KVM hypervisor a go?>Citrix confirms its VM software will run Windows 11, eventually>We’ve rounded up the best virtual desktop services around

The threat actor is tracked as UNC3886. The researchers are saying that while it does show some signs of being a Chinese-based group (the victims are the same as for some other Chinese groups; there are certain similarities in themalwarecode and other known malicious programs), they can’t confirm, with absolute certainty, that that is the case.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The attack allows the threat actors to maintain persistent admin access to the hypervisor, send commands to theendpointthat will be routed to the guest VM for execution, steal files between the ESXi hypervisor and guest machines running underneath it, make changes to the logging services on the hypervisor, and execute arbitrary commands from one guest VM to another guest VM, as long as they’re on the same hypervisor.

Via:Wired

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

I’ve covered Black Friday for eight years and these are the deals I’d buy from the early sales