Hyperjacking

Last updated

Hyperjacking is an attack in which a hacker takes malicious control over the hypervisor that creates the virtual environment within a virtual machine (VM) host. [1] The point of the attack is to target the operating system that is below that of the virtual machines so that the attacker's program can run and the applications on the VMs above it will be completely oblivious to its presence.

Contents

Overview

Hyperjacking Hyperjacking.jpg
Hyperjacking

Hyperjacking involves installing a malicious, fake hypervisor that can manage the entire server system. Regular security measures are ineffective because the operating system will not be aware that the machine has been compromised. In hyperjacking, the hypervisor specifically operates in stealth mode and runs beneath the machine, it makes it more difficult to detect and more likely to gain access to computer servers where it can affect the operation of the entire institution or company. If the hacker gains access to the hypervisor, everything that is connected to that server can be manipulated. [2] The hypervisor represents a single point of failure when it comes to the security and protection of sensitive information. [3]

For a hyperjacking attack to succeed, an attacker would have to take control of the hypervisor by the following methods: [4]

Mitigation techniques

Some basic design features in a virtual environment can help mitigate the risks of hyperjacking:

Known attacks

As of early 2015, there had not been any report of an actual demonstration of a successful hyperjacking besides "proof of concept" testing. The VENOM vulnerability (CVE - 2015-3456) was revealed in May 2015 and had the potential to affect many datacenters. [5] Hyperjackings are rare due to the difficulty of directly accessing hypervisors; however, hyperjacking is considered a real-world threat. [6]

On September 29, 2022, Mandiant and VMware jointly made public their findings that a hacker group has successfully executed malware-based hyperjacking attacks in the wild, [7] affecting multiple target systems in an apparent espionage campaign. [8] [9] In response, Mandiant released a security guide with recommendations for hardening the VMware ESXi hypervisor environment. [10]

See also

Related Research Articles

<span class="mw-page-title-main">Malware</span> Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses on the Internet. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy $6 trillion USD in 2021, and is increasing at a rate of 15% per year.

<span class="mw-page-title-main">Rootkit</span> Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">VMware</span> Multi-cloud service provider for all apps

VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET´s security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

A hypervisor is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

Platform virtualization software, specifically emulators and hypervisors, are software packages that emulate the whole physical computer machine, often providing multiple virtual machines on one physical platform. The table below compares basic information about platform virtualization hypervisors.

<span class="mw-page-title-main">Joanna Rutkowska</span> Polish hacker and computer security expert

Joanna Rutkowska is a Polish computer security researcher, primarily known for her research on low-level security and stealth malware, and as founder of the Qubes OS security-focused desktop operating system.

<span class="mw-page-title-main">VMware ESXi</span> Enterprise-class, type-1 hypervisor for deploying and serving virtual computers

VMware ESXi is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel.

<span class="mw-page-title-main">Remote desktop software</span> Desktop run remotely from local device

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">VMware vSphere</span> VMwares cloud computing virtualization platform

VMware vSphere is VMware's cloud computing virtualization platform.

libvirt Management tool

libvirt is an open-source API, daemon and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VMware ESXi, QEMU and other virtualization technologies. These APIs are widely used in the orchestration layer of hypervisors in the development of a cloud-based solution.

Cisco Unified Computing System (UCS) is a data center server computer product line composed of server hardware, virtualization support, switching fabric, and management software, introduced in 2009 by Cisco Systems. The products are marketed for scalability by integrating many components of a data center that can be managed as a single unit.

In computer security, virtual machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system. A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". In 2008, a vulnerability in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS. Cloudburst was presented in Black Hat USA 2009.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

References

  1. 1 2 3 4 "HYPERJACKING". Telelink. Archived from the original on 27 February 2015. Retrieved 27 February 2015.
  2. Gray, Daniel. "Hyperjacking - Future Computer Server Threat". SysChat. Retrieved 27 February 2015.
  3. Ryan, Sherstobitoff. "Virtualization Security - Part 2". Virtualization Journal. Retrieved 27 February 2015.
  4. Sugano, Alan. "Security and Server Virtualization". WindowsITPro. Archived from the original on 27 February 2015. Retrieved 27 February 2015.
  5. "VENOM Vulnerability". CrowdStrike.com. Retrieved 18 October 2016.
  6. "Common Virtualization Vulnerabilities and How to Mitigate Risks". Penetration Testing Lab. Retrieved 27 February 2015.
  7. Marvi, Alexander; Koppen, Jeremy; Ahmed, Tufail; Lepore, Jonathan (September 29, 2022). "Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors". Mandiant Blog. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
  8. Greenberg, Andy (September 29, 2022). "Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying". Wired. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
  9. Hardcastle, Jessica Lyons (September 29, 2022). "Covert malware targets VMware shops for hypervisor-level espionage". The Register. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
  10. Marvi, Alexander; Blaum, Greg (September 29, 2022). "Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors". Mandiant Blog. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.