Mandiant uncovers malware ecosystem deployed on VMware hypervisors and guest systems
Mandiant research has uncovered a novel malware ecosystem that was found deployed on VMware hypervisors and guest systems by an advanced and suspected China nexus threat actor.
The company says it has identified a unique technique in which a threat actor used malicious vSphere Installation Bundles (VIBs) to install multiple persistent backdoors on ESXi hypervisors, which are used across a variety of large organisations in various industries like government, finance, defence, and technology.
VMware is a virtualisation platform used by many enterprises across the globe. Before this discovery, neither Mandiant nor VMware had reported having seen persistent malware with these capabilities deployed on VMware hypervisors or guest systems in the wild.
While Mandiant has only seen this technique used at less than ten organisations so far, they say that they suspect this malware ecosystem is likely deployed at other organisations.
The company says this is an example of how threat actors are developing and deploying malware on systems that do not commonly support endpoint detection and response (EDR) or antivirus solutions resulting in organisations being blind to these types of attacks.
"As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain advanced state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers," says Charles Carmakal, CTO, Mandiant Consulting.
"This increases the difficulty for organisations to detect malicious attacker activity."
Carmakel says that while the discovery is alarming, both companies have collaborated to provide guidance and assistance.
"Most organisations do not have an efficient way to hunt for and identify threats on VMware hypervisors given the lack of EDR support. This is why Mandiant and VMware have collaborated and provided hardening guidance to organisations. It is critical for organisations to address this threat, as we anticipate other threat actors will develop similar malware capabilities over time."
Manish Gaur, Head of Product Security at VMware, echoed this sentiment by highlighting the need for strong operational security protocols.
"VMware worked closely with Mandiant to understand this specialised malware so we could quickly arm our customers with the guidance they need to secure their vSphere environments and mitigate. While there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security, in addition to following VMware's hardening guidelines for virtual infrastructure."