Mandiant has discovered a new ecosystem of espionage-related malware targeting VMware ESXi, Linux vCenter servers, and Windows virtual machines that offers an attacker persistent administrative access, allows them to transfer files between hypervisors and guest machines, tamper with logging and execute arbitrary commands between virtual machines.
The activity, detailed in a report released this morning, is being tracked under a new cluster, meaning Mandiant has not yet tied it to any previously known advanced persistent threat hacking group.
The threat actor appears to be intentionally targeting devices without endpoint detection and response systems. Currently, Mandiant is aware of less than 10 organizations that are infected with the malware, but they expect that number to rise after their disclosure as security teams seek to detect the previously unknown activity.
“As endpoint detection and response solutions improve malware detection efficacy on Windows systems, certain advanced state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR [and] most organizations do not have an efficient way to hunt for and identify threats on VMware hypervisors given the lack of EDR support,” said Mandiant chief technology officer Charles Carmakal in a statement.
The activity was discovered during an incident response investigation where Mandiant observed an attacker leveraging legitimate VMWare tools to send commands to Windows guest machines. Later analysis of the hypervisor found that the actor had used malicious vSphere installation bundles, which VMWare describes as “a collection of files packaged into a single archive to facilitate distribution,” to install two different pieces of malware that Mandiant is calling VIRTUALPITA and VIRTUALPIE.
VIRTUALPITA is a family of 64-bit malware that impersonates legitimate VMWare service names and ports, allowing an actor to execute arbitrary commands, upload or download files and obfuscate its presence. VIRTUALPIE, written in Python code, spawns a background IPV6 listener on ESXi servers, also allowing for arbitrary command execution as well as file transfer and reverse shell capabilities.
Notably, the vulnerability can’t be executed remotely and requires administrative access, something that makes it significantly harder for most threat actors to use it, though well-resourced hacking groups backed by nation states can often obtain such access in other ways. To that point, there was no apparent evidence that the threat group leveraged a separate zero-day vulnerability to gain administrative privileges.
In a blog this morning, VMWare noted that “Mandiant found no evidence that a vulnerability in a VMware product was exploited to gain access to ESXi during their investigations” and as such, said there is no patch or plans to issue a security advisory or issue a CVE number. The company has developed hardening guidance based on the Mandiant report and said organizations should determine how quickly they should move to implement the guidance based on the context of their environments.
“This malware differs in that it supports remaining both persistent and covert, which is consistent with the goals of larger threat actors and APT groups who target strategic institutions with the intention of dwelling undetected for some time,” the VMWare blog states. “This contrasts with other threat actors and their toolkits who conduct ‘noisy,’ financially-motivated attacks using ransomware. Based on the indications that this new malware was deployed post-compromise, our guidance provides both specific detection and mitigation techniques as well as preventative techniques for strengthening operational security, secure configuration practices, and defense-in-depth.”
Origin of malware unknown, but "nexus" linked to China
The company offered few details regarding attribution or the identity or industries of the victims, saying only that the activity appears to have been done for espionage purposes and that they believe it has a “nexus to China,” an assessment that was made with only low confidence. That language is typically used by threat intelligence companies to convey that they believe a group may be operating from within a country or in ways that further their national interest but can’t conclusively be tied to any particular government.
The Chinese government is known for using a wide variety of hacking teams — some working directly within branches like the Ministry of State Security, as well as criminal hacking groups that may moonlight for or have only informal ties to the government — in a decades-long campaign to spy on private industry in the U.S. and other Western governments, steal data and intellectual property and bolster its own domestic economy. More recently, FBI Director Christopher Wray has said that "the greatest long term threat to our nation’s information and intellectual property, and to our economic vitality, is the counterintelligence and economic espionage threat from China."
Such efforts have been so widespread and impactful that an internal U.S. Navy review in 2019 found Chinese hackers were pilfering so much intellectual property and classified secrets from the Defense Industrial Base that it was "materially eroding" U.S. economic and military advantages.
According to a press release, Mandiant and VMWare worked together to develop more specific technical guidance for hardening VMware servers, and Mandiant also released known indicators of compromise. In addition to finding more organizations infected with VIRTUALPITA and VIRTUALPIE, the company expects other threat groups to follow suit and create their own capabilities for leveraging these vulnerabilities in the future.
“It is critical for organizations to address this threat, as we anticipate other threat actors will develop similar malware capabilities over time,” said Carmakal.