Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Malware Achieves Persistence in VMware ESXi Hypervisors

Mandiant has discovered a new family of malware which targets VMware ESXi hypervisors, Linux vCenter servers and Windows VM's. The malware allows a threat actor to:

• maintain persistent access to the hypervisor
• send command to the hypervisor which will then be routed to the guest VM for execution
• transfer files between the hypervisor and guest machines
• tamper with logs on the hypervisor
• execute arbitrary command from one guest to another guest on the same hypervisor.

It is important to note that this is a post-exploitation tookit; the attacker has to use some other - as yet undetermined - exploit to gain admin access to the ESXi hypervisor. But once this has been done, they are likely to escape detection for a long time, due to the lower level of support for endpoint dection and response products on hypervisors.

In their reports, Mandiant identified two new malware families, VIRTUALPITA and VIRTUALPIE, which are installed as malicious vSphere Installation Bundles (VIB's), despite not being signed by VMware or any of its trusted partners. Another component, VIRTUALGATE, is installed on Windows VM's to enable communication via VMware's virtual machine communication interface (VMCI).

The compaign is highly targeted and evasive, and while definitive attribution is not yet possible, the motive is probably cyber-espionage, and the threat actor possibly of Chinese origin.

Marvi, Alexander, Jeremy Koppen, Tufail Ahmed and Jonathan Lepore, Bad VI(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors, Mandiant blog, 29 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence.

Marvi, Alexander and Greg Blaum, Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors, Maniant blog, 29 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening.

Threat Actor Dangles US, NZ Jobs to Deliver Cobalt Strike Beacons

Cisco Talos researchers have uncovered a threat actor sending malmails which lure recipients into opening an infected MS Word document with details of a job with either the US government or a trade union in New Zealand. If the recipient falls for the lure, attempts to exploit CVE-2017-0199, a remote code execution vulnerability, by downloading a malicious Word document template from a BitBucket repository controlled by the attacker.

The downloaded .dotm template then executes an embedded VBA script - one variant of this deobfuscates and executes multiple Visual Basic and PowerShell scripts while another downloads and runs an executable that runs malicious PowerShell commands. Ultimately it downloads and runs a leaked version of a Cobalt Strike beacon which is cnfigured to inject arbitrary binaries, although the Redline infostealer and Maday botnet have also been seen as payloads.

Rghuprasad, Chetan and Vanja Svajcer, New campaign uses government, union-themed lures to deliver Cobalt Strike beacons, Talos Intelligence blog, 28 September 2022. Available online at https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.