It is important to understand what malware attacks ESXi hypervisors. In addition, you need to be aware of the various countermeasures available to you to mitigate the damage that is cause by a jackpotting attack.
Malware targeting ESXi hypervisors
The Mandiant threat intelligence division has identified a new form of malware that targets VMware ESXi hypervisors. The malware is design to evade detection and built on top of an unsigned vSphere Installation Bundle.
A state-linked threat actor created the malware. The attacker crafted a Python script that inventories the hypervisors on the system, and then uploaded the script. The script then encrypts the virtual drives on the ESXi server. The script also creates a directory map, and a bash shell called to execute the script.
The malware detected during a joint customer investigation. The attackers used a remote-access tool Bitvise to log into the compromised system. They executed commands to guest machines through a process called /bin/rdt.
The malware is like another malware that’s found in the wild. The Python-based script encrypts the files on the virtual drives hosted on the ESXi server. Then the python script calls a bash shell on the ESXi server.
Malicious vSphere Installation Bundles (VIBs)
The Mandiant research team has uncovered a new malware ecosystem on VMware ESXi hypervisors. This family of malware features an interesting and innovative dropper named VirtualGate.
The dropper is a utility program that allows for commands to be sent between hypervisor hosts. It includes a payload and requires admin level privileges to run.
The Mandiant research team was able to discover the new malware by analyzing the boot profile of the ESXi hypervisor. They identified two backdoors that installed by the attackers. The first backdoor called the “VirtualPita” and the second called the “VirtualPIE.”
The malware package contains backdoors that allow an attacker to install additional backdoors on an ESXi hypervisor. These backdoors can allow for persistent access to the hypervisor and can execute arbitrary commands on guest VMs.
The ESXi hypervisor is based on an operating system that is like Linux. However, it differs in that it has its own OS and filesystem, known as the VMkernel.
Countermeasures to mitigate the success or impact of jackpotting
ESXi hypervisors are becoming increasingly targeted by ransomware attacks. ESXi is a software platform that designed for large IT environments. It is not a traditional operating system, but instead runs on server hardware. VMware ESXi provides an in-memory filesystem for virtual machines. ESXi also has a TPM chip that protects some settings from tampering.
One of the key vulnerabilities is the Remote Code Execution (RCE) vulnerability. The RCE vulnerability allows hackers to run malicious commands on a machine that has compromised. This can then encrypt all the machines that connected to that machine. Aside from encrypting all the files on the ESXi host, the malware will encrypt all of the files on the vmdk of each of the attached datastores.
Another way for attackers to leverage the RCE vulnerability is to write a custom binary to the host. This is possible, and there are tools that allow you to upload a custom binary to an ESXi host.
Conclusion
The recent report from Mandiant describes new malware families targeting VMware ESXi hypervisors. The malware is design to target the vmfs/volumes datastore path, and can use by threat actors to move files between hypervisors and guest machines.
The report also warns that if the threat actors able to maintain persistent administrator access to the ESXi hypervisor, they can execute arbitrary commands on the VM guests. This could allow the attacker to do things like install custom binaries or create startup tasks on the guest VMs.
The Mandiant report notes that the attack requires full administrator access to the ESXi hypervisor. They also note that the attack is like the state-sponsored threat actors that have attacked network appliances. They use SSH to gain interactive access to the environment, and list the running processes before encrypting them.
The Mandiant researchers discovered two different malware families. One called VirtualPITA, which consists of a backdoor that provides the attacker with persistent admin access to the hypervisor. The other called VirtualGATE, which incorporates a memory-only dropper that runs commands between hypervisor hosts.