We recommend organizations review the threat hunting and hardening guidance from Mandiant and VMware to protect their VMware environments. We anticipate other threat actors will develop similar capabilities over time. Ultimately, CPR´s investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, which the Chinese threat group has been developing since 2017. An unknown threat actor used a new stealthy rootkit to backdoor targeted Windows systems what looks like an ongoing espionage campaign dubbed TunnelSnake going back to at. We assess this malware ecosystem may have been deployed to a few dozen environments where the threat actor wanted to maintain long-term access. Overall, the attackers, who are believed to be a Chinese threat group, were very systematic in their approach. While Mandiant has currently only seen this malware ecosystem deployed to fewer than 10 organizations, we anticipate there are likely other victims that will discover compromised VMware infrastructure in their environments as they start to hunt for this activity. This actor is very capable, has strong operational security, and uses anti-forensics techniques to hide from network defenders and investigators.īased on our investigations to date, we have not seen indications of a VMware 0-day vulnerability - we assess the threat actor deployed the malware onto VMware servers using stolen administrator credentials. ANALYSIS & REPORTS North Korean hackers target NK Pro readers with malicious websites, emails, docs North Korea has started testing new military drone. We assess this malware ecosystem was developed and deployed by an advanced threat actor with a China nexus. Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor Send commands to the hypervisor that will be routed to the guest VM for executionĢ. As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.Įarlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:ġ.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |