Virtual Machines as Attack Source

Wednesday, August 24, 2016 @ 02:08 PM gHale


Attackers are using a new approach to hide their activities by installing and running a virtual machine, researchers said.

Virtual machines emulate file systems and most of the time with a fully-running operating system that runs inside an existing operating system.

RELATED STORIES
Rowhammer Attack Hits Linux VMs
New Hack Changes Virtual Server Memory
NoT Model Defines IoT
Fixing an Internet Security Threat

Virtual machines are generally used by software developers to test products and often end up embedded in other applications, such as some security software.

One incident resulted in a user’s security platform detected some strange events on July 28, said researchers at security provider, SecureWorks.

After requesting more logs to analyze from the affected company’s sysadmin, the researchers discovered the log lines that made their product trigger the alert.

“The adversary had achieved a level of access that allowed them to interact with the Windows Explorer shell via the Terminal Services Client,” SecureWorks Counter Threat Unit (CTU) researchers said in a post.

The intruder tried to start a virtual machine on the infected host. The machine the intruder managed to gain access was a virtual machine, and virtual machines can’t embed inside each other.

“The events show the adversary using the MMC (Microsoft Management Console) to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it,” CTU researcher said.

The attacker failed in his attempt, but this shows a new tactic attackers are now using to hide their activity on hacked systems.

Their plan is very smart and well thought through, because after setting up and launching a virtual machine, they would have been able to connect to the VM, and execute malicious actions, like exfiltrating sensitive data, out of the reach of security products.