Attackers target hypervisors of virtual platforms to avoid EDR and maintain persistence
Mandiant uncovers a new type of malware that targets ESXi Hypervisors, Linux vCenters and SAN arrays, through which attackers gain undeteced privileged access to the underlining virtual machines.
Attackers are targeting VMware ESXi hypervisors, Linux vCenter servers, network appliances, SAN arrays, that are more complicated to secure than servers. This is because VM hypervisors and network devices that don't typically support EDR solutions that are very effective in detecting and blocking anomalous activity caused by a sophisticated malware.
When attackers compromises a hypervisor, they will gain persistent administrative access to the entire VM infrastructure and its underlining virtual machines to :
The Mandiant article
Mandiant tips for Detection and Hardening ESXi Hypervisors
Attackers are targeting VMware ESXi hypervisors, Linux vCenter servers, network appliances, SAN arrays, that are more complicated to secure than servers. This is because VM hypervisors and network devices that don't typically support EDR solutions that are very effective in detecting and blocking anomalous activity caused by a sophisticated malware.
When attackers compromises a hypervisor, they will gain persistent administrative access to the entire VM infrastructure and its underlining virtual machines to :
- Send commands to be executed in the guest virtual machines;
- Transfer files from the hypervisor to the guest virtual machines;
- Tamper with the hypervisor and its logging capabilities;
- Execute commands from one guest virtual machine to another virtual machine within the same hypervisor.
The Mandiant article
Mandiant tips for Detection and Hardening ESXi Hypervisors