Security researchers at cybersecurity provider Mandiant discovered a new type of attack method in April. This enables attackers to install multiple backdoors in the target system, like the company in one blog entry writes. The affected software is used by companies in sectors such as public sector, finance, defense and technology.
The cybercriminals use malicious “vSphere Installation Bundles” (VIBs), as the company writes. These software packages usually include updated drivers or CIM providers. In the event of a successful attack, these malicious VIBs allow multiple persistent backdoors to be installed on an ESXi hypervisor – backdoors that survive a hardware reboot. However, this requires administrator rights. A hypervisor, also called a virtual machine monitor, is software used to create and run virtual machines, such as VMware on its website writes.
According to Mandiant, the backdoors installed in this way make it possible to execute commands, transfer files and manipulate logging services on both the hypervisors and the guest computers running underneath. According to the blog entry, Linux vCenter servers and Windows virtual machines are also affected by the malware.
No zero-day bug found
According to Mandiant, there is currently no evidence that a zero-day vulnerability in EXSi was exploited to install the VIBs. It is also not an external remote code execution vulnerability.
So far, the malware has been detected in fewer than 10 cases. Since the VMware infrastructure does not support the so-called “Endpoint Detection and Responses” technology – a technology for the continuous monitoring of selected endpoints such as laptops or IoT devices – the cybersecurity provider expects that more cases will be added after the research results are published.
If you want to read more about cybercrime and cybersecurity, Sign up for the Swisscybersecurity.net newsletter here. On the portal you can read daily news about current threats and new defense strategies.