Attackers target hypervisors of virtual platforms to avoid EDR and maintain persistence

Mandiant uncovers a new type of malware that targets ESXi Hypervisors, Linux vCenters and SAN arrays, through which attackers gain undeteced privileged access to the underlining virtual machines.

Attackers are targeting VMware ESXi hypervisors,  Linux vCenter servers, network appliances, SAN arrays, that are more complicated to secure than servers. This is because VM hypervisors and network devices that don't typically support EDR solutions that are very effective in detecting and blocking anomalous activity caused by a sophisticated malware.

When attackers compromises a hypervisor, they will gain persistent administrative access to the entire VM infrastructure and its underlining virtual machines to :

  • Send commands to be executed in the guest virtual machines;
  • Transfer files from the hypervisor to the guest virtual machines;
  • Tamper with the hypervisor and its logging capabilities;
  • Execute commands from one guest virtual machine to another virtual machine within the same hypervisor.  
This type of compromises are not easy to achieve and normally happen when the hypervisors are not properly hardened or not timely patched against critical vulnerabilities.

The Mandiant article 
Mandiant tips for Detection and Hardening ESXi Hypervisors