UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs

erek

erek

[H]F Junkie
Joined
Dec 19, 2005
Messages
11,719
1718910121121.png

“The most important of the listed attack tools are:

  • Mopsled – Shellcode-based modular backdoor designed to retrieve and execute plugins, allowing it to expand its capabilities dynamically. It's seen in vCenter servers, and other breached endpoints alongside Reptile.
  • Riflespine – Cross-platform backdoor leveraging Google Drive for command and control (C2). It uses a systemd service for persistence, collects system information, and executes commands received from the C2.
  • Lookover – Custom sniffer to capture TACACS+ credentials by processing authentication packets, decrypting, and logging their contents. Deployed in TACACS+ servers, it helps attackers extend their network access reach.
  • Backdoored SSH execs – UNC3886 deployed modified versions of SSH clients and daemons to capture credentials and store them in XOR-encrypted log files. To prevent overwriting by updates, the attackers use 'yum-versionlock.'
  • VMCI backdoors – Backdoor family exploiting the Virtual Machine Communication Interface (VMCI) to facilitate communication between guest and host virtual machines. Includes 'VirtualShine' (bash shell access through VMCI sockets), 'VirtualPie' (file transfer, command execution, reverse shell), and 'VirtualSphere' (controller transmitting the commands).
Mandiant plans to release more technical details about those VMCI backdoors in a future post.

The complete list with indicators of compromise and YARA rules to detect UNC3886 activity is at the bottom of Mandiant's report.”

Source: https://www.bleepingcomputer.com/ne...se-linux-rootkits-to-hide-on-vmware-esxi-vms/
 
Wonder if this is why so many big names have had so many breaches over the past month.
I wouldn’t be surprised to find them all running VMWare.
 
Literally patched 3 vcenters today because of some vulnerability , this is wild , like every other week they find something or one of our infra systems.
We are a huge corporation with factories etc. cant installs fresh releases so often , sometimes all it does is introduce new issues
 
Lakados said:
Wonder if this is why so many big names have had so many breaches over the past month.
I wouldn’t be surprised to find them all running VMWare.
Click to expand...
To be fair , it's not like big companies have any real alternative for on-prem data centers , we tried Nutanix AHV , no one was impressed.
 
Nerds are prob pissed at what broadcom is doing vmware, so this is the result. I'm prob going to have to move the company I work for to proxmox.
 
T_A said:
To be fair , it's not like big companies have any real alternative for on-prem data centers , we tried Nutanix AHV , no one was impressed.
Click to expand...
I made the change to HyperV cluster stacks a year or so ago and I’m not going back.
The virtual GPUs are still a problem though so I don’t have a good alternative yet for remote workstations. Microsoft requires dedicated GPU’s and you can’t share them anymore.
But given the sharing of those sorts of resources is why VMWare is such a mess (shown above) is probably why Microsoft Axed it.
 
Lakados said:
I made the change to HyperV cluster stacks a year or so ago and I’m not going back.
The virtual GPUs are still a problem though so I don’t have a good alternative yet for remote workstations. Microsoft requires dedicated GPU’s and you can’t share them anymore.
But given the sharing of those sorts of resources is why VMWare is such a mess (shown above) is probably why Microsoft Axed it.
Click to expand...
GPU Partitioning and SR-IOV. Hyper-V 2022 and 2025 I believe? May also require Nvidia GRID licensing or AMD equivalent.
 
  • Like
Reactions: erek
like this
LodeRunner said:
GPU Partitioning and SR-IOV. Hyper-V 2022 and 2025 I believe? May also require Nvidia GRID licensing or AMD equivalent.
Click to expand...
Microsoft killed remote FX and currently only support GPUs via direct assignment.
Supposedly you can now “partition” GPU’s but my tests with my P6000’s haven’t gone well and it’s unstable as all hell.

NVidia and Microsoft only support it officially on the NVidia A and L series currently so maybe I just need to upgrade my test bench.

https://learn.microsoft.com/en-us/w...yper-v/gpu-partitioning?pivots=windows-server

So…. Yeah.
Maybe I put in a request to do that.

I really want to retire that Horizon server stack… so painful to deal with.
 
Shoganai said:
There's a lot of crap happening with Linux lately. Also, VMware is a steaming pile.
Click to expand...
I know more than a few open source devs who are tired. They don’t get funding for “important” projects until something bad happens and sponsors take notice they need them. Then they get a cash infusion to fix the issues and once things have died down so does the money.

Once policed policies go overlooked and bad actors sneak in. Code may be open and anybody can look it over but an ever decreasing number of people are capable of actually reading it.
 
Lakados said:
Microsoft killed remote FX and currently only support GPUs via direct assignment.
Supposedly you can now “partition” GPU’s but my tests with my P6000’s haven’t gone well and it’s unstable as all hell.

NVidia and Microsoft only support it officially on the NVidia A and L series currently so maybe I just need to upgrade my test bench.

https://learn.microsoft.com/en-us/w...yper-v/gpu-partitioning?pivots=windows-server

So…. Yeah.
Maybe I put in a request to do that.

I really want to retire that Horizon server stack… so painful to deal with.
Click to expand...
I don't know that I'd try this in production, but if/when I get a second GPU I'll be trying it in my HV cluster at home: https://www.reddit.com/r/HyperV/comments/vph5lw/windows_server_2022_gpup_virtualization_working/

After I upgrade the nodes to 2022 that is. Running 2019 right now. Going to use my home cluster to practice the upgrade before doing it at work. I do not want to do clean installs because reconfiguring all the network interfaces sucks and I don't have the budget for SC-VMM which would make things easier.

Edit: I currently use DDA and a P2000 for my media server in Hyper-V, and DDA means no live migration, which I want. Maybe in 2022 they fixed the bug where in 2019 running VMs aren't given time to properly shutdown when the host restarts?
 
Last edited:
Lakados said:
I know more than a few open source devs who are tired. They don’t get funding for “important” projects until something bad happens and sponsors take notice they need them.
Click to expand...
Basically how all of us feel at this point. :dead:
dWQiOlsidXJuOnNlcnZpY2U6aW1hZ2Uub3BlcmF0aW9ucyJdfQ.jpg
 
Sometimes when I read stuff like this, I wonder if technology will ever go "backwards" to safe-guard data. It reminds me of the book Dune where they have all of this crazy advanced weaponry, but because of the creation of shields and personal shields, they fell back into performing hand to hand combat.

These kinds of breeches will only get worse, at least until they create insane AI based detection/prevention mechanisms that will respond by becoming what we now know as Skynet lol.
 
You must log in or register to reply here.
Back
Top