For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.
Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.
“The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.
Mandiant discovered the hackers earlier this year and brought their techniques to VMware’s attention. Researchers say they’ve seen the group carry out their virtualization hacking—a technique historically dubbed hyperjacking in a reference to “hypervisor hijacking”—in fewer than 10 victims’ networks across North America and Asia. Mandiant notes that the hackers, which haven’t been identified as any known group, appear to be tied to China. But the company gives that claim only a “low confidence” rating, explaining that the assessment is based on an analysis of the group’s victims and some similarities between their code and that of other known malware.
While the group’s tactics appear to be rare, Mandiant warns that their techniques to bypass traditional security controls by exploiting virtualization represent a serious concern and are likely to proliferate and evolve among other hacker groups. “Now that people know this is possible, it will point them toward other comparable attacks,” says Mandiant’s Marvi. “Evolution is the big concern.”
In a technical writeup, Mandiant describes how the hackers corrupted victims’ virtualization setups by installing a malicious version of VMware’s software installation bundle to replace the legitimate version. That allowed them to hide two different backdoors, which Mandiant calls VirtualPita and VirtualPie, in VMware’s hypervisor program known as ESXi. Those backdoors let the hackers surveil and run their own commands on virtual machines managed by the infected hypervisor. Mandiant notes that the hackers didn’t actually exploit any patchable vulnerability in VMware’s software, but instead used administrator-level access to the ESXi hypervisors to plant their spy tools. That admin access suggests that their virtualization hacking served as a persistence technique, allowing them to hide their espionage more effectively long-term after gaining initial access to the victims’ network through other means.
In a statement to WIRED, VMware said that “while there is no VMware vulnerability involved, we are highlighting the need for strong operational security practices that include secure credential management and network security.” The company also pointed to a guide to “hardening” VMware setups against this sort of hacking, including better authentication measures to control who can tamper with ESXi software and validation measures to check whether hypervisors have been corrupted.
Since as early as 2006, security researchers have theorized that hyperjacking presents a method to stealthily spy on or manipulate victims using virtualization software. In a paper that year, Microsoft and University of Michigan researchers described the potential for hackers to install a malicious hypervisor they called a “hypervirus” on a target machine that places the victim inside a virtual machine run by the hacker without the victim’s knowledge. By controlling that malicious hypervisor, everything on the target machine would be under the hacker’s control, with practically no sign within the virtualized operating system that anything was amiss. Security researcher Joanna Rutkowska dubbed her own version of the technique a Blue Pill attack, since it trapped the victim in a seamless environment entirely created by the hacker, Matrix-style, without their knowledge.
What Mandiant observed isn’t exactly that Blue Pill or hypervirus technique, argues Dino Dai Zovi, a well-known cybersecurity researcher who gave a talk at the Black Hat security conference about hypervisor hacking in the summer of 2006. In those theoretical attacks, including his own work, a hacker creates a new hypervisor without the victim’s knowledge, while in the cases Mandiant discovered, the spies merely hijacked existing ones. But he points out that this is a far easier and yet highly effective technique—and one he’s expected for years. “I’ve always assumed it was possible and even being done,” says Dai Zovi. “It’s just a powerful position that gives full access to any of the virtual machines running on that hypervisor.”
Aside from the difficulty of detecting the attack, he points out that it also serves as a multiplier of the hacker’s control: In virtualization setups, two to five virtual machines can typically run on any physical computer, and there are often thousands of virtual machines on an organization’s network running as everything from PCs to email servers. “That’s a lot of scale and leverage,” says Dai Zovi. “For an attacker, it’s a good return on their investment.”
Mandiant suggests in its writeup of the hacking campaign that attackers may be turning to hyperjacking as part of a larger trend of compromising network elements that have less rigorous monitoring tools than the average server or PC. But given the power of the technique—and the years of warnings—it’s perhaps most surprising that it hasn’t been put to malicious use earlier.
“When people first hear about virtualization technology, they always raise their eyebrows and ask, ‘What happens if someone takes control of the hypervisor?’” says Mandiant’s Marvi. “Now it’s happened.”
