VMware releases emergency mitigations and guidance for its vSphere customers after China based threat actor using a troubling technique to install multiple persistent backdoors on ESXi hypervisors.
The threat actor tracked as UNC3886 using malicious vSphere Installation Bundles (VIBs) to sneak their malware onto target systems. The attackers required admin privileges to the ESXi hypervisor. But evidences not found to support the claim.
The backdoors, called VIRTUALPITA and VIRTUALPIE, enable the attackers to carry out a range of malicious activities includes maintaining persistent admin access to the ESXi hypervisor; sending malicious commands to the guest VM via the hypervisor; transferring files between the ESXi hypervisor and guest machines; tampering with logging services; and executing arbitrary commands between VM guests on the same hypervisor.
As per VMware, VIB as a collection of files packaged into a single archive to facilitate distribution. They are designed to help administrators manage virtual systems, distribute custom binaries and updates across the environment, and create startup tasks and custom firewall rules on ESXi system restart.
Four acceptance levels for VIBs:
- VMwareCertified VIBs that are VMware created, tested, and signed;
- VMwareAccepted VIBs that are created and signed by approved VMware partners;
- PartnerSupported VIBs from trusted VMware partners;
- CommunitySupported VIBs created by individuals or partners outside the VMware partner program.
During ESXi image creation phase, it is assigned one of these acceptance levels, Any VIBs added to the image must be at the same acceptance level or higher. This helps ensure that non-supported VIBs don’t get mixed in with supported VIBs when creating and maintaining ESXi images.
VMware’s default minimum acceptance level for a VIB is PartnerSupported. But administrators can change the level manually and force a profile to ignore minimum acceptance level requirements when installing a VIB.
The attackers have used this fact by first creating a CommunitySupport-level VIB and then modifying its descriptor file to make it appear that the VIB was PartnerSupported. They then used a so-called force flag parameter associated with VIB use to install the malicious VIB on the target ESXi hypervisors.
VMware recommends that organizations implement Secure Boot, TPM, and Host Attestation to validate software drivers and other components. If Secure Boot is enabled the use of the CommunitySupported acceptance level will be blocked, preventing attackers from installing unsigned and improperly signed VIBs. Only 10 organizations have affected till now but the number might not stops here, it will go up.
This research was documented by researchers from Mandiant