VMware Breached; Code in Wild

Monday, April 30, 2012 @ 04:04 PM gHale

Hypervisors provide the platform where virtualized guest operating systems run, and are therefore a core component of any business’s virtual infrastructure. They are also a potential security weak point.

Those weak points came to fruition with VMware confirming source code dating to 2003 and 2004 ended up publicly released by a hacker called Hardcore Charlie. In addition, the hacker said the release was a “sneak peak” of the 300 MB of VMware source code that is in his possession, which he said he will publicly release May 5.

RELATED STORIES
One Site can end up a Malicious Hive
Flashback Variant Hits Macs
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats

Iain Mulholland, director of the VMware Security Response Center, said the company’s security team had confirmed a file published containing VMware ESX source code. He promised VMware would update its customers as it learned more.

VMware now ships a more lightweight, embedded version of ESX, dubbed ESXi, on new servers. ESX and ESXi are “bare-metal embedded hypervisors,” meaning they run directly on server hardware.

VMware is downplaying any security threats that might result from the source code disclosure.

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” Mulholland said. “VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.” He also said some of the documents leaked by Hardcore Charlie was source code review documents, which would have been able to help describe it to VMware insiders, as well as with business partners.

Charlie said he obtained the VMware kernel source code via March attacks against China Electronics Import & Export Corporation (CEIEC). He said he’d also attacked — and still had access to — China North Industries Corporation (Norinco), WanBao Mining, Ivanho, and PetroVietnam. Earlier this month, he released a preview of stolen information via Pastebin, as well as images of multiple documents, some of which appear to be Chinese intercepts of U.S. military transportation documents pertaining to Afghanistan.

Charlie said he breached CEIEC by first stealing hundreds of thousands of encrypted credentials for Web-based email accounts at Sina.com. He said he then reached out to hacker Yama Tough–who released Symantec source code in January–to help crack the credentials. At that point, he and a group of hackers began looking for accounts of interest.