Mandiant has published information on malware discovered in the wild that leverages unsigned VSphere Installation Bundles (VIB) to install backdoors on the compromised EsXi host.

Note: the malicious actor must first obtain administrative privileges on a root level in the EsXi prior to installing the malicious VIB.

Our SOC team is currently investigating further into the vulnerability and we will release a detailed report with indicators of compromise (IOC) and further remediation when a patch becomes available. Further hardening steps will be advised.

Mitigation steps

Patching and life-cycle development

Vsphere7 introduced a vSphere Lifecycle manager, which managed host configurations. A host would become non-compliant if an unauthorised VIB was introduced, due to its configuration. Patching routinely enables admins to identify these clues, while restarting ESXi enables Secure Boot to reverify the system configuration and detect malware.

Secure Boot, Trusted Platform Modules, and Host Attestation

Secure boot enables ESXi to validate software, drivers, and other additional entities using the cryptographic methods and trust authority. vSphere 7 further implements encryption keys used in VSAN and VM encryption methods for host attestation and any hosts that fail attestation under vSphere trust authority are denied access to the secrets.

VMware recommends the establishment of the Secure Boot Feature in ESXi to mitigate the risk of bad actors persisting on a compromised host via malicious VIB installation. To enable Secure Boot/ UEFI, please contact your hardware vendor.

Authentication and authorisation

This is implemented to separate the authorisation and authentication methods, isolate sensitive identity resources, using MFA where applicable, further audit for logon success and failures, and limit accesses to management and admin services.

Workload hardening

Communication channels exist between vSphere and the Guest operating system (VMCI). The channel of communication between the two are used to exchange information within the VMware ecosystem and tasks during a deployment and disaster recovery failover. The channels are enabled through VMware tools that can be disabled where necessary.

Workload hardening further implements VMware related technologies available, such as Carbon Black Endpoint, VMWARE NSX tools, and vRealize Log Insight and vRealize Network Harden Workloads. Ultimately, these create opportunities for attack detection and containment.

Get the support you need

If you are one of our Sentinel Essentials customers, you will have custom threat detection rules implemented within your environment for active detection. In addition, our SOC analysts are proactively threat hunting for any VMWare specialist malware indicators of compromise (IOCs) on an ongoing basis.

This is an ongoing event and we are continuing to track the developments. If you have any questions or need support, please contact our IT service desk on 01904 562207 or email [email protected].