TID-209

TID-209: Host Can Manipulate Guest Virtual Machines

Threat Description

If a threat actor can access a hypervisor’s host infrastructure, such as through existing management interfaces, they could use that access to manipulate associated guest/virtualized systems. Since the hypervisor runs underneath the virtual machines, this threat will go undetected by the individual guest environments.

Threat Maturity and Evidence

Observed Adversary Behavior
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
“Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment… On October 10, the actor leveraged an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations.”

Bad VIB(E)s Mandiant Discoveries
Researchers at Mandiant discovered adversarial usage of malware that runs on VM hosting machines. The malware is able to “1) maintain persistent administrative access to the hypervisor; 2) send commands to the hypervisor that will be routed to the guest VM for execution; 3) transfer files between the ESXi hypervisor and guest machines running beneath it; 4) tamper with logging services on the hypervisor; 5) execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor”

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors
“Exploiting a zero-day vulnerability (CVE-2023-20867) that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs”

CWE

CWE-306: Missing Authentication for Critical Function
“The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.”

CVE

CVE-2023-20867
“A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.”

Device Properties: