A never-before-seen attack using vSphere installation bundles (VIBs) across 10 machines could be the start of a VMpandemic

Just as we experienced a ‘novel’ type of coronavirus in 2020, a novel malware ecosystem has been found deployed on VMware hypervisors and guest systems by an advanced and suspected espionage threat actor.  

Just as only a few seed COVID-19 cases were detected in 2019, the novel malware technique has been found in fewer than 10 organizations so far. The ecosystem attack has the following characteristics:

    • It can maintain persistent administrative access to the hypervisor
    • Send commands to the hypervisor that will be routed to the guest VM for execution
    • Transfers files between the ESXi hypervisor and guest machines running beneath it
    • Tampers with logging services on the hypervisor
    • Executes arbitrary commands from one guest VM to another guest VM running on the same hypervisor

Supposedly a never-before-seen technique, malicious vSphere Installation Bundles (“VIBs”) have been involved in installing multiple backdoors on the ESXi hypervisors. At the time of this report, the researchers announcing their discovery—from Mandiant—have reported no evidence of any zero day vulnerability being used to gain initial access or deploy malicious VIBs.

The firm has begun tracking this activity as UNC3886, where UNC stands for ‘uncategorized’. Given the highly targeted and evasive nature of this intrusion, UNC3886 is linked to cyber espionage and harbors a remote association with China threat groups. 

Hardening procedures

Mandiant recommends organizations using ESXi and the VMware infrastructure suite to follow hardening steps to minimize the attack surface of ESXi hosts:

    • Network isolation
      When configuring networking on the ESXi hosts, only enable VMkernel network adapters on the isolated management network. Ensure that all dependent technologies such as vSANs and backup systems that the virtualization infrastructure will use are available on this isolated network. If possible, use dedicated management systems exclusively connected to this isolated network to conduct all management tasks of the virtualization infrastructure.
    • Identity and Access management
      Decouple ESXi and vCenter Servers from Active Directory and use vCenter Single Sign-On to prevent any compromised Active Directory accounts from being able to be used to authenticate directly to the virtualization infrastructure.

      Ensure administrators use separate and dedicated accounts for managing and accessing the virtualized infrastructure. Enforce multi-factor authentication (MFA) for all management access to vCenter Server instances, and store all administrative credentials in a Privileged Access Management system.
    • Services management
      Implement lockdown mode to ensure that ESXi hosts can only be accessed through a vCenter Server, disable some services, and restrict some services to certain defined users.

      Configure the built-in ESXi host firewall to restrict management access only from specific IP addresses or subnets that correlate to management systems on the isolated network.

      Determine the appropriate risk acceptance level for vSphere Installable Bundles (VIBs) and enforce acceptance levels in the Security Profiles for ESXi hosts.
    • Log management
      Centralize logging of ESXi environments to proactively detect potential malicious behavior and investigate an actual incident.

      Ensure all ESXi host and vCenter Server logs are being forwarded to the organization’s SIEM solution. This provides visibility into security events beyond that of normal administrative activity.