Archive for October 1, 2022

Mandiant Releases Two Part Report On Malware Attacking  ESXi Hypervisors, Linux vCenter Servers, And Windows virtual, And How To Defend Against It

Posted in Commentary with tags on October 1, 2022 by itnerd

A reader pointed this out to me, so thanks for the tip.

Threat actors have been found by Google’s Mandiant deploying never-before-seen post-compromise implants in VMware’s virtualization software to seize control of infected systems and evade detection. The malware has been referred to it as a “novel malware ecosystem” that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the hypervisor as well as execute arbitrary commands.

Mandiant has released a two part report that speaks to what this malware is, and how to defend against it. From reading both parts of this report, two things pop to mind:

  • The attacks are tied to an emerging group called UNC3886 who likely motivated by espionage rather than financial given that these attacks are highly targeted. They could also be associated with China.
  • This is something that is likely to be copied by other groups.

Finally, VMware has a post that speaks to this and offers advice. If you administer ESXi servers or other virtualization products, this should be required reading for you.