For decades, virtualization software has offered a way to dramatically multiply the efficiency of computers, by hosting entire collections of computers as “virtual machines” on a single physical machine. And for almost as long, security researchers have warned of the potential dark side of this technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate machines. virtual, without any means for a targeted computer. to detect the intrusion. This insidious espionage has finally moved from research papers to reality with warnings that a mysterious team of hackers has carried out a series of “hyperjacking” attacks in the wild.
Today, Google-owned security firm Mandiant and virtualization company VMware jointly issued warnings that a group of sophisticated hackers had installed backdoors in VMware’s virtualization software on the networks of multiple targets. as part of an apparent espionage campaign. By planting their own code in the victims’ so-called hypervisors – VMware software that runs on a physical computer to manage all the virtual machines it hosts – the hackers were able to monitor and execute commands invisibly on the computers supervised by these hypervisors. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor these target machines for signs of foul play.
“The idea that you can compromise a machine and from there have the ability to control virtual machines en masse is huge,” says Alex Marvi, consultant at Mandiant. And even closely monitoring the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, since the malware performing this spying had infected a part of the system entirely out of operation. system.
Mandiant discovered the hackers earlier this year and brought their techniques to VMware’s attention. Researchers say they saw the group perform their virtualization hack — a technique historically called hyperjacking in reference to “hypervisor hacking” — on fewer than 10 victim networks in North America and Asia. Mandiant notes that the hackers, who have not been identified as any known group, appear to be linked to China. But the company only gives the claim a “low confidence” rating, explaining that the assessment is based on an analysis of the group’s victims and some similarities between their code and that of other known malware.