Researchers from cyber threat intelligence company Mandiant on Thursday 29th published information on two malware leveraging unsigned vSphere Installation Bundles (“VIBs”) to install backdoors VirtualPita and VirtualPie on compromised ESXi host.
First I would like to point out that malicious actors MUST have administrative privileges on the ESXi host to perform an attack. Also, there is no mention from Mandiant that a vulnerability in a VMware product was exploited to gain access to ESXi during their investigations.
Mitigation
VMware recommends the enablement of the Secure boot feature in ESXi to mitigate the risk of malicious actors persisting on a compromised ESXi host via malicious VIB installation. The feature is designed to prevent the installation of unsigned VIBs, furthermore, it disallows the --force
flag which would normally allow an administrator to bypass acceptance level settings on the ESXi host.
Enabling Secure Boot
- Run the Secure boot validation script:
/usr/lib/vmware/secureboot/bin/secureBoot.py -c
- If 7.0 u2 or later and the host has a TPM, please see the following document: Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration (vmware.com)
- Enabling Secure boot on ESXi: UEFI Secure Boot for ESXi Hosts (vmware.com)
What to do if you think have installed unsigned VIB?
If you are concerned about your environment, you can run an audit for your ESXi hosts. VMware prepared Powershell script, which you can download from this KB in the attachment section.
To run an audit against unassigned VIBs:
- You need to have PowerCLI installed (Here is step-by-step video instruction)
- You need to have port 443 access to vCenter where the script is running from.
- Set the PowerShell Execution Policy to unsigned:
- run this command:
Set-ExecutionPolicy Unrestricted
- run this command:
How to interpret results:
- Overall Status = Good: This host has no unsigned VIBs.
- Overall Status = Not Good: Unsigned VIBs were detected on the host.
NOTE: 6.5 has a known issue that will show an unsigned VIB on the ESXi base. Please see the following KB: Unable to enable Secure Boot in ESXi 6.x (79790)
NOTE: CommunitySupported VIBs are not signed. CommuitySupported VIB’s require an ESXi host to be set to CommunitySupported acceptance level, which is not recommended.
Related articles: Protecting vSphere From Specialized Malware.
🔥Subscribe to the channel: https://bit.ly/3vY16CT🔥
🚨Read my blog: https://angrysysops.com/
➡️ ENTER TO WIN Exam Vouchers: https://angrysysops.com/2022/09/12/win-dell-technologies-proven-professional-exam-vouchers/
👊Twitter: https://twitter.com/AngrySysOps
👊Facebook: https://www.facebook.com/AngrySysOps
👊My Podcast: https://bit.ly/39fFnxm
🔥vExpert info: https://bit.ly/3vXGPOa
🛒 VMware EMEA store: https://imp.i263671.net/c/3505578/814646/11461
🛒 VMware US store: https://imp.i263671.net/c/3505578/814642/11461
🛒 VMware APAC store: https://imp.i263671.net/c/3505578/814645/11461