The flaws of virtual machines. How hackers break out of a virtual environment.
Many of you already use a virtual machine for a safer method of working, running suspicious files, documents, websites. Virtual isolation is a great protection tool but far from ideal. This chapter reveals how hackers and intelligence agencies break through the virtual environment and how to protect yourself from this threat.
Suppose, there is a document, link or application made by an attacker to gain access to your device and data. Being a reasonable person, you run it in your virtual environment with the hope it will shield you from potential threats. Only this time you are unaware that you are up against not just your regular script kiddie with a common Trojan, but a professional hacker anxious to obtain access to your system.
But to perform an attack, he will have to break out of the virtual environment. Now let’s see how it can be done.
Escape from a virtual environment using standard VirtualBox tools
You are probably familiar with the tools that allow the interaction between the host and guest machines such as shared clipboard, shared folder and Drag'n'Drop. Copying a file in the host machine and then inserting it in the virtual machine or simply dragging this file onto another machine is extremely convenient.
Creating a bridge between the guest machine and host machine is not the most prudent steps security-wise. You’ve probably guessed that a hacker can take advantage of these tools to penetrate your primary machine. We recommend you stop using these tools in favor of more secure data transmission methods. We will look at these methods in the chapter about sandboxes.
Escaping from a virtual machine is not the easiest thing to pull off, for instance, when the shared clipboard is enabled, however, it’s made a lot easier when you use it.
Stop using a shared folder, shared clipboard and Drag'n'Drop. However convenient they are, it is unsafe to use them.
Escape through Wi-Fi routers and external media devices
You can find a lot of material on the Internet revealing how to set up a virtual machine, install Kali Linux on it or specialized software and attack Wi-Fi devices nearby. Will a hacker resist the temptation of breaking through your virtual machine and compromising the Wi-Fi routers near you? This may be your home Wi-Fi or the one you use at work.
Unfortunately, routers, as a rule, prove vulnerable for attacks, and a malicious intruder will be enabled to perform a damaging attack on the devices that connect to your router provided he gains access to this router. In a separate chapter, you will learn about the consequences of a compromised Wi-Fi router. Take my word for it, this kind of attacks can be very dangerous.
The only sensible piece of advice I can give you here is the following: make sure your Wi-Fi router is secured enough, and you will learn how to achieve this within this course. For an extra layer of defense, we recommend you use a VPN, it won’t be able to protect you from getting your Wi-Fi compromised, but it will help you prevent an attack where, for instance, an attacker can attempt to intercept Internet traffic or spoof DNS.
Make sure your Wi-Fi router is secured from attacks.
One can escape from virtualization using a USB flash drive if at the moment of attack it is connected to a virtual machine, and then a user proceeds to connect it to the host system. However, this is predicated on the concurrence of many factors. In some cases an attacker can perform an attack through Bluetooth on the devices found nearby, but this is a sophisticated method that too requires a lot of conditions to coincide.
Unfortunately, every year security experts uncover new vulnerabilities in virtualization solutions that allow perpetrators to escape from a virtual machine and attack a host system. There is a very high probability that such tools are used by intelligence agencies and hacker groups recruited by them; this kind of software is demonstrated at hacker conferences every year.
For instance, in 2017 Chinese security teams 360 Security и Tencent Security achieved an escape from a virtual machine running on VMware Workstation. In both of the cases the escapes required several vulnerabilities to be exploited in unison. In both of the cases the first attack targeted a guest machine running on Windows operating system.
In addition to VMware, the researchers were able to exploit macOS, Ubuntu, Windows, Firefox, Edge, Safari, Adobe Reader, Adobe Flash. It is rumored that the latter crashed before the demonstration. I’m just joking.
If you fear an attack by a highly skilled hacker, there is only one effective way to handle it: use a computer that is completely isolated from the primary machine. You will learn about hardware isolation in a separate chapter of this course as well as how to set up an environment for running suspicious files and documents. A hacker can exploit a virtual machine using vulnerabilities, and you can never rule out the possibility that a malicious intruder may have tools to escape from the virtualization system you currently use.
If you fear an attack by a highly skilled hacker, use only hardware isolation.
If you use software isolation, make sure you regularly update your virtualization solution – use only the latest available version. It is just as important to update all the components of your virtual machine from browser to operating system.
In a timely manner update all the components of your virtual machine from browser to operating system.
A hacker doesn’t even have to exploit a virtual machine using a bug in the virtualization system or Wi-Fi router if he can employ social engineering techniques. There is a reason why some say that a computer’s most vulnerable spot is a person sitting behind the monitor.
A lot of modern malicious programs analyze the environment for existing virtualization. If they detect the latter, they either don’t run or don’t activate their malicious functions. This helps them evade analysis by experts and various checks performed automatically or semi-automatically.
Common users should be aware that lack of malicious activity in a virtual environment doesn’t mean your host system won’t display it when launched.
Lack of malicious activity in a virtual environment doesn’t mean your file is secure.
I’ve heard about several people who tested an application in a virtual environment, and without detecting anything suspicious, ran in in their host system – only to have their hard drive locked for ransom. Sometimes malicious software doesn’t use a disguise, it just tells a user that it is unable to run s file in a virtual environment prompting the user to run it in the host system.
I should note that some applications are indeed unable to run under a virtual machine, for instance, because of demanding video memory requirements, but malicious software would do it knowingly, and you should be well aware of it. You can protect yourself from the potential threat by getting a separate computer for running tests or remote allocated server.