Virtualization software has been utilized in many use-cases to implement solutions across the business world.  Businesses from small and medium sized companies to enterprise corporate offices take advantage of virtualization solutions for integral business systems and capabilities.

Virtual computing has become popular because it reduces the need for physical servers taking up space, improves reliability and performance, and reduces overall IT overhead costs.  It’s possible to have just one server running a virtualization solution that can have several virtualized servers running within it.  These can accomplish any number of tasks from data solutions, to virtual desktop’s teams and employee’s can login to.

A Google owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacking group has been installing backdoors in VMware’s virtualization software, targeting multiple networks as part of a large hacking campaign.

VMware software runs on a physical server which manages other virtual machines which it hosts.  Hackers were able to invisibly watch and run commands on the computers those hypervisors were hosting.  Because the malicious code targets the hypervisor portion of the virtual environment rather than the victim’s virtual machines, they are able to access multiple virtual devices and evade most traditional security.

The hackers can run code and even view VM’s running on the compromised VMware hypervisor.  Targeted VM’s would likely only see side-effects of the compromised host, since the malicious software is not running directly on the Virtual Machine, but rather it’s host.  However, the hackers still have tremendous amounts of control and capabilities over those virtual machines.

VMware made a statement about the recent revelations of the hacking groups capabilities involving their virtual machine software, highlighting the need for strong operational security practices that include secure credential management and network security.  The company also pointed to a guide to harden VMware setups against this sort of hacking.

Protecting Your Virtual Environment from Hyperjacking

Microsoft and the University of Michigan have studied this particular form of hacking, publishing a theory of a possible way to perform hyperjacking as early as 2006.  Security researcher Joanna Rutkowska dubbed her own version of this malicious attack a Blue Pill attack, because it trapped the victim in a seamless virtual environment entirely created by the hacker, without their knowledge.

Although this new attack described by Mandiant isn’t exactly like the Blue Pill attack, it differs in that the hijacker compromises the Virtual Machine itself, opposed to creating a virtual machine the victim finds themselves on.

Like most cybersecurity attacks, prevention is always key in defending from these sorts of attacks.  Hackers still need access to these hypervisors, and following best security practices can go a long way in preventing cyberattacks like hyperjacking.  Using training methods to protect PII (Personal Identifiable Information), helping your users identify potential phishing scams, and utilizing network security methods to scan and prevent dark web attacks can go a long way in preventing attacks like these.

Natural Networks is a fully managed IT services provider, and we use advanced security like Sentinel One Artificial Intelligence driven security to protect client machines.  Natural Networks also provides network level security through Patch Management, secure business class firewalls, and dark web scanning through DarkCubed.

If your interested in learning more about how Natural Networks can be your partner in IT security, give us a call today!