A previously undocumented Python backdoor is actually targeting VMware ESXi servers via RCE.
The new backdoor was discovered by Juniper’s researchers who found the code of backdoor on a ESXi server. It’s possible that the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi's OpenSLP service.
CVE-2019-5544 is a 9.8 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2019-5544
CVE-2020-3992 is another 9.8 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2020-3992
For full technical overview: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
What’s following it’s from Juniper article about possible Mitigation:
- Apply all vendor patches as soon as possible.
- Restrict incoming network connections to trusted hosts.
- Check the contents and/or existence of the four files detailed above.
By default, local.sh should contain only comments and an exit statement. - Check all modified persistent system files for unexpected changes.