VDI Takeover, James Bond Style

2805 0

Many cybersecurity professionals mistakenly believe virtual desktop infrastructure (VDI) is an effective way to combat cybercriminals, or at minimum slow them down. Conventional wisdom says that by separating desktop images from the desktop itself – requiring users to have permission to access server-hosted desktop images from thin or thick clients – you’re erecting a barrier that keeps sensitive corporation information safe. But the truth is, that barrier is flimsy, at best.

It all comes down to this: VDI doesn’t isolate the remote sensitive resources from the devices used to access them. If hackers control the end-user’s device, they control the VDI resources. And because that device is exposed to a variety of attack vectors, including email, web, external media, user-installed applications, and many others, it’s not hard for a determined cybercriminal to do a VDI takeover.

You’d be surprised at how easy it can be.

Overlay Malware: Pulling a James Bond  

Cybercriminals who want to take over VDI without anyone being the wiser can steal a page from the James Bond playbook. Remember how 007 would freeze security cameras so he could infiltrate the bad guy’s lair without notice? Overlay malware essentially lets hackers do the same thing.

The malware creates overlay screens that mimic the appearances of sign-in pages of commonly used apps and sites such as Facebook, Gmail, online banking and other payment systems. The fake screens launch as soon as a victim clicks on a link on a legitimate site or launches a legitimate app. These overlay screens can be so identical to the originals that it’s hard to tell if a sign-in page is real or fake.  

Because of the growing connectivity of devices, the integration of social media and email logins into apps, websites and online services, and the fact that mobile apps are used on a daily basis, unwitting corporate users can easily fall victim to this simple but effective technique.

VDI Compromised by Overlay Malware  

So what might this look like in real life? Imagine a payment site “protected” by VDI and used, for instance, by a bank teller. The malware on her device—which she may have mistakenly downloaded when browsing the web or opening an email—detects when she enters her VDI credentials and sees that she’s filling out a payment form. When she hits the final ok/approve button, the malware overlays her entire screen with a cloaking screenshot that shows “transferring payment.”

However, that the form was never sent.  What is really happening, in the background, is the malware injecting new keys that override the original payment form and send it with fraudulent account information to the hacker’s destination.   

Once the teller is back in control of her machine, she sees a payment was initiated. However, she has no idea it wasn’t according to the information she entered. She has no idea her transaction will never go where she intended. She has no idea she ever lost control.

Want to see this in action? Watch this video of a mocked-up online payment system being compromised  by overlay malware, to witness how easy it is to fool VDI users.

And keep in mind that the effects of malware like this don’t end after a single compromised VDI session.

For example, malware can inject a script into internal VDI sessions that allows VBScript, PowerShell, CMD, JavaScript or any other scripting language to attach different keyboard events in the VDI guest, and then use unmapped keyboard keys in the host machine as beacons to activate those scripts inside the VDI guest. It could simulate, on the host, keystrokes on the F15 key for controlling the script that was installed inside the VDI session. From then on, whenever the malware detects the user is working on the secure app through her VDI session, the hacker can freely ‘Morse code’ commands into the VDI session and do what he wants.

It’s Scarily Easy  

Overlay malware is just one of many tactics attackers use to compromise VDI and reach sensitive data. Anything that exploits a user’s device can give them access to the VDI session.

Be cautious, and don’t be fooled by thinking two-factor authentication for VDI could mitigate the risk. Hackers who are already present on a machine simply wait for a successful authentication to launch their attack.

Here’s the takeaway: If your business is using VDI for employees, giving third-parties “controlled” access to VDI-based corporate assets, or allowing IT admins to use VDI servers as jump hosts for managing the enterprise crown jewels, beware. VDI isn’t the security barrier you may think.

Aviram Shemesh
Aviram Shemesh, Security Research Team Lead at Hysolate Aviram Shemesh has been Hysolate’s cybersecurity research leader since 2016. He has spent a decade in the cybersecurity industry, acquiring intimate knowledge about attackers and defenders alike. Prior to Hysolate, Aviram held security research roles at Team8, a cybersecurity think tank, Trusteer, which was acquired by IBM, and the Israel Defense Forces. Passionate about safeguarding endpoints as well as revolutionizing technology education, Aviram is a founder of the TechLift youth movement and an enthusiast STEAM instructor and mentor.

Aviram Shemesh Web Site

In this article