Hyperjacking

Hyperjacking is an attack in which a hacker takes malicious control over the hypervisor that creates the virtual environment within a virtual machine (VM) host.^[1] The point of the attack is to target the operating system that is below that of the virtual machines so that the attacker's program can run and the applications on the VMs above it will be completely oblivious to its presence.

Overview edit

Hyperjacking

Hyperjacking involves installing a malicious, fake hypervisor that can manage the entire server system. Regular security measures are ineffective because the operating system will not be aware that the machine has been compromised. In hyperjacking, the hypervisor specifically operates in stealth mode and runs beneath the machine, making it more difficult to detect and more likely to gain access to computer servers where it can affect the operation of the entire institution or company. If the hacker gains access to the hypervisor, everything that is connected to that server can be manipulated.^[2] The hypervisor represents a single point of failure when it comes to the security and protection of sensitive information.^[3]

For a hyperjacking attack to succeed, an attacker would have to take control of the hypervisor by the following methods:^[4]

Injecting a rogue hypervisor beneath the original hypervisor
Directly obtaining control of the original hypervisor
Running a rogue hypervisor on top of an existing hypervisor

Mitigation techniques edit

Some basic design features in a virtual environment can help mitigate the risks of hyperjacking:

Security management of the hypervisor must be kept separate from regular traffic. This is a more network related measure than hypervisor itself related.^[1]
Guest operating systems should never have access to the hypervisor. Management tools should not be installed or used from guest OS.^[1]
Regularly patching the hypervisor.^[1]

Known attacks edit

As of early 2015, there had not been any report of an actual demonstration of a successful hyperjacking besides "proof of concept" testing. The VENOM vulnerability (CVE-2015-3456) was revealed in May 2015 and had the potential to affect many datacenters.^[5] Hyperjackings are rare due to the difficulty of directly accessing hypervisors; however, hyperjacking is considered a real-world threat.^[6]

On September 29, 2022, Mandiant and VMware jointly made public their findings that a hacker group has successfully executed malware-based hyperjacking attacks in the wild,^[7] affecting multiple target systems in an apparent espionage campaign.^[8]^[9] In response, Mandiant released a security guide with recommendations for hardening the VMware ESXi hypervisor environment.^[10]

References edit

^ ^a ^b ^c ^d "HYPERJACKING". Telelink. Archived from the original on 27 February 2015. Retrieved 27 February 2015.
^ Gray, Daniel. "Hyperjacking - Future Computer Server Threat". SysChat. Retrieved 27 February 2015.
^ Ryan, Sherstobitoff. "Virtualization Security - Part 2". Virtualization Journal. Retrieved 27 February 2015.
^ Sugano, Alan. "Security and Server Virtualization". WindowsITPro. Archived from the original on 27 February 2015. Retrieved 27 February 2015.
^ "VENOM Vulnerability". CrowdStrike.com. Retrieved 18 October 2016.
^ "Common Virtualization Vulnerabilities and How to Mitigate Risks". Penetration Testing Lab. Retrieved 27 February 2015.
^ Marvi, Alexander; Koppen, Jeremy; Ahmed, Tufail; Lepore, Jonathan (September 29, 2022). "Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors". Mandiant Blog. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
^ Greenberg, Andy (September 29, 2022). "Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying". Wired. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
^ Hardcastle, Jessica Lyons (September 29, 2022). "Covert malware targets VMware shops for hypervisor-level espionage". The Register. Archived from the original on September 30, 2022. Retrieved 30 September 2022.
^ Marvi, Alexander; Blaum, Greg (September 29, 2022). "Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors". Mandiant Blog. Archived from the original on September 30, 2022. Retrieved 30 September 2022.

[HYPERJACKING-1] "HYPERJACKING". Telelink. Archived from the original on 27 February 2015. Retrieved 27 February 2015.

[2] Gray, Daniel. "Hyperjacking - Future Computer Server Threat". SysChat. Retrieved 27 February 2015.

[3] Ryan, Sherstobitoff. "Virtualization Security - Part 2". Virtualization Journal. Retrieved 27 February 2015.

[4] Sugano, Alan. "Security and Server Virtualization". WindowsITPro. Archived from the original on 27 February 2015. Retrieved 27 February 2015.

[5] "VENOM Vulnerability". CrowdStrike.com. Retrieved 18 October 2016.

[6] "Common Virtualization Vulnerabilities and How to Mitigate Risks". Penetration Testing Lab. Retrieved 27 February 2015.

[7] Marvi, Alexander; Koppen, Jeremy; Ahmed, Tufail; Lepore, Jonathan (September 29, 2022). "Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors". Mandiant Blog. Archived from the original on September 30, 2022. Retrieved 30 September 2022.

[8] Greenberg, Andy (September 29, 2022). "Mystery Hackers Are 'Hyperjacking' Targets for Insidious Spying". Wired. Archived from the original on September 30, 2022. Retrieved 30 September 2022.

[9] Hardcastle, Jessica Lyons (September 29, 2022). "Covert malware targets VMware shops for hypervisor-level espionage". The Register. Archived from the original on September 30, 2022. Retrieved 30 September 2022.

[10] Marvi, Alexander; Blaum, Greg (September 29, 2022). "Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors". Mandiant Blog. Archived from the original on September 30, 2022. Retrieved 30 September 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

Hyperjacking

Contents

Overview edit

Mitigation techniques edit

Known attacks edit

See also edit

References edit