1. vCenter from the perspective of hackers
In actual offensive and defensive scenarios, more and more attackers are paying attention to vCenter. Because vCenter involves a lot of assets and has a lot of authority, attackers attack vCenter. If the attack is successful, they can quickly establish an attack base and provide favorable conditions for subsequent attacks.
Returning to the essence, attackers like to attack vCenter, and they all benefit from exploiting vCenter's existing vulnerabilities. Exploiting vulnerabilities can often achieve twice the result with half the effort.
Vulnerabilities and methods often exploited by attackers in vCenter include CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, Provider-
logo SSRF vulnerability, log4j2
JNDI injection, SAML certificate login, CVE-2022-22948 Improper permission configuration, CVE-2021-22015, privilege escalation, etc., in order to obtain initial permissions or upgrade permissions, and provide conditions for subsequent in-depth utilization.
For attackers, launching an attack on vCenter has a strong purpose:
1. Why attack vCenter?
The vCenter people sent the nickname small domain controller. After taking down vCenter, not only can you obtain the authority of a server, but also the virtual machines and ESXI hosts in vCenter may become subsequent attack targets, so the value of taking down vCenter is not inferior. The value of the domain controller.
2. How to find the vCenter on the public network?
Use the search syntax to find the vCenter server on the public network. Generally, the open port of vCenter is 5480. In addition, when using the tool to obtain the title of the web page, the vCenter server can also be discovered. title="+ID_VC_Welcome+"
3. What should I do after obtaining the vCenter permission?
After obtaining a certain permission of vCenter, continue to collect information and attack the virtual machines and ESXI hosts in vCenter, which will become the main target.
## 2. How does the attacker attack vCenter?
There are various ways for attackers to attack vCenter. The following are some common attack methods:
With the development of attack technology, there are various paths to attack vCenter. Here are some typical attack paths:
Path one:
1. The attacker first detects the vCenter service on the public network, and finds that the version of the vCenter has the CVE-2021-21972 vulnerability, so he tries to use
vphere-ui to obtain the webshell permission of the vCenter Server host.
2. Use the CVE-2022-22948 vulnerability to obtain the credentials of the vpxuser user.
3. Use the vpxuser credentials to connect to the ESXI server through ssh to take full control of the ESXI server.
Path two:
1. The attacker first discovers the vCenter service with vulnerabilities and uses the vulnerabilities to control vCenter.
2. After information collection, an account with administrator privileges is obtained.
3. Export the credentials of the vpxuser account.
4. Use the vpxuser account credentials to ssh to connect to ESXI, and modify the root password of ESXI.
Path three:
1. The attacker first bypasses the firewall and obtains initial access to the corporate web server.
2. After collecting intranet information, it is found that there is a vCenter service. Detect the vCenter version, find that there is a vulnerability in the vCenter version, and exploit it.
3. After controlling the vCenter, it is found that the domain control virtual machine of the AD domain is deployed on the vCenter, and then bypasses the virtual machine lock screen, obtains the domain control authority, and controls the entire AD domain.
Path four:
In the figure above, under normal circumstances, only the IPs in the whitelist can access vCenter, but even so, it cannot guarantee 100% that attackers will not be able to attack vCenter. Attackers can bypass the whitelist defense and attack vCenter in the following two scenarios:
Scenario 1: There is a loophole in the firewall or the credentials of the firewall are leaked, then the attacker can control the firewall to modify the whitelist policy so that he can also access vCenter.
Scenario 2: The administrators in the whitelist are attacked by phishing, and the computer is controlled by the attacker. At this time, the attacker can also attack vCenter.
1. After bypassing the firewall ip whitelist, use the CVE vulnerability to attack vCenter.
2. After controlling vCenter, bypass the virtual machine lock screen and control the host in ESXI.
##Three, vCenter is attacked, causing losses to customers
If the customer's vCenter is attacked, the following losses may be caused:
1) Data breach
Attackers may steal sensitive information stored in vCenter, such as login credentials, virtual machines, storage devices, network configuration, and other information, thereby leaking sensitive data of customers. This data may include customer trade secrets, financial records, customer data, etc.
2) The virtualization environment is out of control
An attacker may gain administrator privileges in vCenter, thereby taking control of the entire virtualization environment. Attackers can disrupt customers' business operations by modifying virtual machine configurations, storage configurations, network configurations, and other information, resulting in serious business interruptions.
3) Malware infection
Attackers may install malicious software on vCenter servers, such as ransomware, mining software, etc., thereby disrupting customer business operations and encrypting, stealing or tampering with customer business data.
4) Business stagnation
If the vCenter server is not functioning properly, customers may face the risk of business downtime. For example, if a virtual machine running on a vCenter server is part of a business-critical application, those applications may not function properly, bringing business to a standstill.
## 4, vCenter is under attack, how to defend?
Best Practices for vCenter Security Hardening
For the protection of vCenter, we can refer to VMware's official best practices, which mention the protection measures for various components of vSphere, including vCenter, ESXi and other aspects. We have made an in-depth analysis and implementation of the official best practices, details For details, refer to the vSphere hardening chapter in
ITDR's vSphere White Paper , which describes specific hardening measures in terms of hardening policies, authority management, and password policy management.
Zhongan Netstar ITDR (Identity Threat Detection and Response) Platform
ITDR (Identity Threat Detection and Response) platform is an advanced threat analysis platform for identity threat detection and response launched by Zhongan Netstar, the first ITDR manufacturer in China. The protection mainly revolves around Identity and Infrastructure, covering mainstream identity infrastructure and centralization facilities, starting from pre-attack reinforcement, in-event monitoring, and post-event blocking. The product design idea covers the entire life cycle of attacker activities.
The ITDR platform also has a full-process defense solution for the vCenter platform of mainstream centralized facilities. The scene architecture is shown in the following figure:
ITDR platform capabilities
It can actively detect vCenter-related risks such as CVE vulnerabilities and baselines , and find out whether there are historical vulnerabilities and wrong risk configuration items in vCenter.
The real-time monitoring of exploiting vCenter-related CVE vulnerabilities has
now covered all historical vulnerabilities of vCenter for real-time attack detection, ensuring that the attack behavior can be seen when any vulnerability attack against vCenter occurs.
Real-time monitoring of abuse of vCenter functions, such as
creating roles, creating users, adding permissions, cloning virtual machines, bypassing lock screens, etc., to ensure that when attackers obtain vCenter permissions and use vCenter's own functions for post-exploitation, they can monitor them in real time aggressive behavior.
By setting up a vCenter honeypot account, actively trap attackers and more actively discover suspicious attacks.
User roles, user creation, permission addition, virtual machine cloning, lock screen bypass, etc., to ensure that when an attacker obtains vCenter permissions and uses vCenter's own functions for post-exploitation, the attack behavior can be monitored in real time.
By setting up a vCenter honeypot account, actively trap attackers and more actively discover suspicious attacks.
Network security engineer enterprise-level learning route
At this time, of course you need a systematic learning route
If the picture is too large and compressed by the platform, you can download it at the end of the article (free of charge), and you can also learn and communicate together.
Some of my collection of self-study primers on cyber security
Some good video tutorials I got for free:
The above information can be obtained by [scanning the QR code below] and shared for free
