Cybercriminals constantly devise new ways of stealing precious data and using it to their advantage. Data is hugely valuable within dark markets, and a single malicious actor could stand to make millions from selling illegally acquired information. Hyperjacking is another illicit method that can be used to spy on victims, control devices, and steal valuable information. So, what is hyperjacking, and how can you stay safe from it?

What Is Hyperjacking?

Hyperjacking involves the compromise and unauthorized control of a virtual machine (VM). So, before we discuss hyperjacking in detail, we'll need to first understand what a virtual machine is.

What Is a Virtual Machine?

A virtual machine is just that: a non-physical machine that uses virtualization software instead of hardware to function. Though virtual machines must exist on a piece of hardware, they operate using virtual components (such as a virtual CPU).

Hypervisors form the backbone of virtual machines. These are software programs that are responsible for creating, running, and managing VMs. A single hypervisor can host multiple virtual machines, or multiple guest operating systems, at one time, which also gives it the alternative name of virtual machine manager (VMM).

There are two kinds of hypervisors. The first is known as a "bare metal" or "native" hypervisor, with the second being a "host" hypervisor. What you should note is that it is the hypervisors of virtual machines that are the targets of hyperjacking attacks (hence the term "hyper-jacking").

The Origins of Hyperjacking

red and blue digital lock graphic

In the mid-2000s, researchers found that hyperjacking was a possibility. At the time, hyperjacking attacks were entirely theoretical, but the threat of one being carried out was always there. As technology advances and cybercriminals become more inventive, the risk of hyperjacking attacks increases by the year.

In fact, in September 2022, warnings of real hyperjacking attacks began to arise. Both Mandiant and VMWare published warnings stating that they found malicious actors using malware to conduct hyperjacking attacks in the wild via a harmful version of VMWare software. In this venture, the threat actors inserted their own malicious code within victims' hypervisors while bypassing the target devices' security measures (similarly to a rootkit).

Through this exploit, the hackers in question were able to run commands on the virtual machines' host devices without detection.

How Does a Hyperjacking Attack Work?

Hypervisors are the key target of hyperjacking attacks. In a typical attack, the original hypervisor will be replaced via the installation of a rogue, malicious hypervisor that the threat actor has control of. By installing a rogue hypervisor under the original, the attacker can therefore gain control of the legitimate hypervisor and exploit the VM.

By having control over the hypervisor of a virtual machine, the attacker can, in turn, gain control of the entire VM server. This means that they can manipulate anything in the virtual machine. In the aforementioned hyperjacking attack announced in September 2022, it was found that hackers were using hyperjacking to spy on victims.

Compared to other hugely popular cybercrime tactics like phishing and ransomware, hyperjacking isn't very common at the moment. But with the first confirmed use of this method, it's important that you know how to keep your devices, and your data, safe.

How to Avoid Hyperjacking

graphic of padlock with circuitry pattern on blue background

Unfortunately, hyperjacking has been found to evade certain security measures present on your device. But this does not mean that you shouldn't still employ high levels of safeguarding to lower the chance of an attacker targeting your hypervisor.

Of course, you should always ensure that your virtual machine is well-equipped with various layers of security. For example, you could isolate each of your virtual machines using a firewall, and ensure that your host device has adequate antivirus protection.

You should also ensure that your hypervisor is regularly patched so that malicious actors cannot exploit bugs and vulnerabilities within the software. This is one of the most common ways through which cybercriminals carry out attacks, and they can sometimes do a lot of damage before the software provider becomes aware of the security flaw.

You should limit the devices to which your virtual machine has access too. When an attacker gains control over a virtual machine, they may use it to access other hardware, such as the host device. Try not to link your VM to unnecessary devices to avoid an attacker exploiting it further if compromised.

Hyperjacking May Become a Significant Problem in the Near Future

Though hyperjacking seems relatively new as a practiced cybercrime tactic, there's a good chance that its prevalence will begin to grow among hacker groups looking to exploit machines, spy on victims, and steal data. So, if you have one or more virtual machines, make sure you're protecting them as much as possible to avoid falling victim to a hyperjacking attack.