Malicious Virtual Machines and Advanced Exploitation Techniques
In a landscape where cyber threats are constantly evolving, cybercriminals are continually looking for ways to bypass traditional defenses. One of the most recent and devastating tactics involves using malicious virtual machines (VMs) to evade detection and compromise critical infrastructures. These types of attacks, now frequent enough to be included in the MITRE ATT&CK framework in 2023 (T1564.006), represent a major shift in how cyberattackers infiltrate networks and manage to remain hidden for long periods.
Key Statistics
- 20% of companies view this as one of the hardest threats to detect. CyberSecurity Insiders, 2023 Insider Threat Report
- 43% increase in ransomware attacks compared to the previous year S21sec Threat Landscape Report 2023
A Real and Present Threat
In 2024, Defants intervened to assist a French municipality facing a ransomware attack. During the operation, cybercriminals deployed a malicious virtual machine to evade traditional detection tools. This case highlights new tactics identified by MITRE ATT&CK, which has recognized the growing use of VMs by attackers as a method to evade security tools. By adding this tactic to the MITRE framework, the severity of this threat is underscored, compelling security teams to rethink their detection strategies.
A Tactic Becoming Critical
The inclusion of malicious virtual machines in the MITRE ATT&CK framework demonstrates just how critical this tactic has become for cybercriminals. VMs allow attackers to stay under the radar of traditional security tools, making detection more challenging and the attacks more damaging.
Mapping Malicious Virtual Machines with Defants AIR
During this incident, two malicious VMs were identified as key elements used by attackers to conduct their activities. With the help of Defants AIR (Automated Incident Response), the team was able to map the entire attack sequence, from the initial connection to multiple connection attempts and unauthorized access efforts.
Defants analysts traced the entire attack lifecycle, uncovering connections to various system hosts and recording both failed and successful connection attempts. The graph-based mapping provided by Defants AIR highlighted moments where the attacker used compromised identities to escalate privileges and bypass defenses.
Extended Infiltration: The Virtual Machine as a Stealth Weapon
In this case, the malicious virtual machine allowed attackers to extend their compromise undetected. They used it to run sophisticated exploitation tools while blending seamlessly into the existing infrastructure.
A Dangerous Game of Hide-and-Seek
This attack exemplifies how cyber threats continue to evolve. The attackers used the virtual machine as an anchor point to deploy malicious tools, gain access to backup servers, and exfiltrate sensitive data. By hiding behind the isolated and legitimate nature of VMs, they were able to operate for weeks before the full extent of the attack was uncovered.
The MITRE ATT&CK framework now includes this tactic, signaling that it has become a major vector for sophisticated attacks.
What This Means for You
Cybercriminals are constantly refining their methods, and malicious virtual machines have become a strategic asset in their arsenal. The addition of this technique to the MITRE ATT&CK framework underscores its growing prevalence. It is essential to take action to secure your infrastructure:
- Actively monitor virtual environments for any unusual activity.
- Strengthen detection capabilities with specialized tools like Defants AIR, which provide rapid, automated incident responses.
- Perform regular security audits to stay ahead of emerging threats.
Working with Defants, you can anticipate attacks and safeguard your systems against the most advanced threats, including malicious virtual machines.
