"For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice...with potentially no way for a targeted computer to detect the intrusion... Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee..." https://www.wired.com/story/hyperjacking-vmware-mandiant/
Yes, but shouldn't this be easily solvable by simply monitoring or protecting the hypervisor from any modification? Similar to how M$ decided to protect the Windows OS kernel with PatchGuard back in 2006.
You'd think. Seems reasonable. They probably never considered that anyone would be able to do what is being done.
Well they should have considered this, since back in 2006 this was already talked about. I did see that M$ has added HVCI to Windows 11, it protects the kernel from malicious drivers. Cool, but who is monitoring the hypervisor itself? I remember that back in the days you had Hypersight Rootkit Detector which was the first anti-rootkit tool that run with higher privileges than rootkits themselves, pretty cool stuff, see second link. https://www.microsoft.com/security/...curity-features-are-designed-for-hybrid-work/ https://www.softpedia.com/get/Security/Security-Related/Hypersight-Rootkit-Detector.shtml
