Google’s security team says implementing phishing-resistant MFA on VMware vCenter environments could help reduce a world of pain caused by an active cybercrime group – which is highly adept at living off the land and gaining deep persistence across VMware vSphere environments.  

Google’s Mandiant Incident Response (IR) team said that the group typically ends up with their “entire operation… at the hypervisor layer, making it invisible to any EDR or security agent running inside the Domain Controller's operating system. The use of the VCSA as a data funnel bypasses any network segmentation rules,” the IR team said this week. 

(The VCSA is virtual machine used to manage VMware vSphere environments, centralizing the management of multiple ESXi hosts.)

VMware persistence: “Help desk to hypervisor”

Members of the finally motivated threat group, whose tactics overlap with reporting on "Octo Tempest," and "Scattered Spider," typically gais a foothold by calling the IT help desk, armed with deep background information on the person they are pretending to be, said Mandiant.

Its members are “particularly skilled at using social engineering to bypass even mature security programs” the IR team warned – urging CISOs and their teams to block phone-based password resets for privileged accounts and treat any password reset on a “Tier 0” account (Domain Admin, Enterprise Admin, vSphere) “as a critical incident until proven otherwise.”

“For all Tier 0 accounts…these actions must require an in-person, multipart, or high-assurance identity verification process.” - Mandiant

After gaining a foothold, escalating their credentials and pivoting from Active Directory to VMware, ultimately often without extensive challenges gaining admin, the attackers (once in vCenter) enable SSH on the ESXi hosts and reset their root passwords. They then execute an offline attack by identifying a Domain Controller VM, powering it off, and detaching its virtual disk (.vmdk). This disk is then attached as a secondary drive to a forgotten or "orphaned" VM they control,” said Mandiant. 

See also: Default Microsoft Teams configurations exploited in ransomware attacks

“From this unmonitored machine, they copy the NTDS.dit Active Directory database. The process is then reversed, and the DC is powered back on as if nothing happened. The stolen data is then moved in a two-stage process: first, an internal transfer from the orphaned VM to the compromised VCSA using sftp, and second, an external exfiltration from the VCSA through the already-established teleport C2 channel to a threat actor controlled cloud service.” After lots of this unpleasant, if skilled jiggery-pokery, the group steals data and drops ransomware.

Targets have been hit across aviation, insurance, retail and beyond. 

Mandiant’s IR team has more details on the attack path in its blog along with excellent hardening guidance. Notably the attacks start with social engineering. The hackers only need a basic users’s AD credentials to have a solid beachhead. From there, they raid Sharepoint and other internal resources to build up organisational understanding and launch a secondary attack, this time armed with more detail on the organisation. 

“The core vulnerability is a help desk process that lacks robust, non-transferable identity verification for password resets” Mandiant noted. Security teams hate to add friction by introducing this kind of control, but if your organisation wants to stay safe, they may have to.

The Stack

We keep our security reporting free for public interest reasons. Joining our paid tier gets you deep access to exclusive CIO and CISO interviews, analysis and more. It's £250/year and for every 300 subscribers we pledge to hire another reporter to serve our members.

Join the community
The link has been copied!