China-Linked WARP PANDA Targets VMware vCenter with Advanced Malware
A sophisticated cyber espionage group, identified as WARP PANDA, has been actively infiltrating VMware vCenter environments across critical U.S. sectors, including legal, technology, and manufacturing industries. This group’s operations, dating back to late 2023, signify a notable escalation in cloud-based cyberattacks aimed at establishing prolonged access to sensitive networks and data repositories.
Infiltration Tactics and Tools
WARP PANDA initiates its attacks by compromising internet-facing edge devices, subsequently pivoting to vCenter environments. They exploit known vulnerabilities or utilize stolen credentials to gain initial access. Once inside, the group deploys a suite of sophisticated tools designed to maintain persistent access and evade detection:
– BRICKSTORM Malware: This primary backdoor, written in Golang, masquerades as legitimate vCenter processes such as `updatermgr` or `vami-http`. It communicates with command-and-control servers via WebSocket connections encrypted with TLS, employing advanced obfuscation techniques to avoid network detection. BRICKSTORM also utilizes DNS-over-HTTPS for domain resolution and creates nested TLS channels, leveraging public cloud services like Cloudflare Workers and Heroku for infrastructure hosting.
– JSP Web Shells: These web shells provide the attackers with remote control over compromised servers, facilitating further exploitation and data exfiltration.
– Junction and GuestConduit Implants: These previously unknown implants work in tandem, with Junction listening on port 8090 to communicate with guest virtual machines through VM sockets, while GuestConduit facilitates network traffic tunneling within virtual machines.
Exploited Vulnerabilities
WARP PANDA has been observed exploiting several critical vulnerabilities to achieve their objectives:
– CVE-2024-21887 and CVE-2023-46805: Authentication bypass and remote command execution vulnerabilities in Ivanti Connect Secure VPN and Ivanti Policy Secure.
– CVE-2024-38812: A heap-overflow vulnerability in VMware vCenter’s DCERPC protocol implementation, allowing remote code execution.
– CVE-2023-46747: An authentication bypass vulnerability in F5 BIG-IP devices.
– CVE-2023-34048: An out-of-bounds write vulnerability in VMware vCenter’s DCERPC protocol, enabling remote code execution.
– CVE-2021-22005: A critical-severity vulnerability affecting VMware vCenter servers.
Persistence and Evasion Techniques
To maintain long-term access and evade detection, WARP PANDA employs several advanced techniques:
– SSH and vpxuser Account Utilization: The group uses SSH and the privileged `vpxuser` account for lateral movement within the network.
– Log Manipulation: They clear logs and modify file timestamps to cover their tracks.
– Malicious Virtual Machines: The attackers create unregistered malicious virtual machines that are shut down after use to avoid detection.
– Traffic Tunneling: They tunnel traffic through compromised systems to blend malicious communications with legitimate network activity.
Recommendations for Mitigation
Organizations utilizing VMware vCenter should implement the following measures to mitigate the risk posed by WARP PANDA:
1. Patch Management: Regularly update and patch all systems, especially those with known vulnerabilities exploited by WARP PANDA.
2. Network Segmentation: Isolate critical systems and limit network access to management interfaces.
3. Monitoring and Logging: Implement robust monitoring and logging mechanisms to detect unauthorized access attempts and unusual network activity.
4. Credential Management: Regularly audit and manage credentials, ensuring that privileged accounts like `vpxuser` are monitored and secured.
5. Incident Response Planning: Develop and regularly update incident response plans to quickly address potential breaches.
By proactively addressing these areas, organizations can enhance their defenses against sophisticated threat actors like WARP PANDA and protect their critical infrastructure from potential compromise.
