Security researchers at Juniper Threat Labs say they have identified previously undocumented malware targeting VMware ESXi servers that is notable for its “simplicity, persistence and capabilities.”
VMware’s ESXi is a bare metal hypervisor that is widely deployed in large enterprises to run software virtually, from applications to fully emulated machines running operating systems, without direct access and control of the host machine’s hardware. Users span aerospace, banks, technology firms, governments etc.
The backdoor used in the attack they saw can be used on Linux or other UNIX-like systems, they said this week, but there are several indications that this attack was designed specifically to target ESXi.
The ESXi malware is a Python script that adds seven lines of code inside "/etc/rc.local.d/local.sh," an ESXi file that survives between reboots and is executed at startup. These launch “a simple webserver that accepts password-protected POST requests and can be used in two ways: it can run arbitrary remote commands and display the results as a webpage, or it can launch a reverse shell to the host and port of the attacker’s choice.”
The initial access that enabled it to be installed was unclear – but unpatched ESXi servers have been targets of attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 (a CVSS 9.8 RCE) and CVE-2020-3992 (also a CVSS 9.8 RCE that have been persistently exploited in recent years, the firm said.
“The name of the file and its location, /store/packages/vmtools.py, was chosen to raise little suspicion on a virtualization host. The file begins with a VMware copyright consistent with publicly available examples and is taken character-for-character from an existing Python file provided by VMware” Juniper Networks said.
“The sequence of piped commands is somewhat more complicated than the most common reverse shell invocations and is needed to work around limitations in the netcat version available on ESXi. Note that if no port number is supplied in the POST request, the default port used is 427. This is the standard service port for OpenSLP, the vulnerable service most likely exploited to gain access to the ESXi server and is another indication that this attack was crafted with ESXi targets in mind” the security researchers noted in a blog (with IOCs).
They urged users, as ever, to apply all vendor patches as soon as possible; restrict incoming network connections to trusted hosts; and check all modified persistent system files for unexpected changes.
It’s not the only novel malware targeting ESXi servers this year. In September security researchers at Mandiant identified a unique new malware ecosystem impacting VMware ESXi security, Linux vCenter servers, and Windows virtual machines – with VMware this week describing it as “persistent and covert” and releasing new mitigation and detection guidance for the techniques outlined in the Mandiant report. The technique involves the use of malicious vSphere Installation Bundles (“VIBs”) to install multiple backdoors on the ESXi hypervisors.
The malware lets the attacker maintain persistent admin access to the hypervisor; send commands to the hypervisor that will be executed on guests; send files/commands between the hypervisor and guests as well as guest-to-guest and tamper with logging services on the hypervisor, as well as letting them execute arbitrary commands from one guest VM to another VM on the same hypervisor.Mandiant researchers said that due to the “highly targeted and evasive nature of this intrusion, we suspect motivation to be cyber espionage related” – adding that “we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities. Mandiant recommends organizations using ESXi and the VMware infrastructure suite follow the hardening steps… to minimize the attack surface of ESXi hosts.
Mandiant’s detailed technical write-up on that issue is here (part one) and here (part two).
