• EN

Recent Python malware backdoors on ESXi servers leads to RCE

  • 14 December 2022
  • 1 comment
  • 221 views
marcofabbri
Userlevel 7
Badge +13

A previously undocumented Python backdoor is actually targeting VMware ESXi servers via RCE.

The new backdoor was discovered by Juniper’s researchers who found the code of backdoor on a ESXi server. It’s possible that the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi's OpenSLP service.

 

CVE-2019-5544 is a 9.8 CRITICAL

https://nvd.nist.gov/vuln/detail/CVE-2019-5544

CVE-2020-3992 is another 9.8 CRITICAL

https://nvd.nist.gov/vuln/detail/CVE-2020-3992

 

For full technical overview: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers

 

What’s following it’s from Juniper article about possible Mitigation:

  1. Apply all vendor patches as soon as possible.
  2. Restrict incoming network connections to trusted hosts.
  3. Check the contents and/or existence of the four files detailed above.
    By default, local.sh should contain only comments and an exit statement.
  4. Check all modified persistent system files for unexpected changes

 

Via https://www.bleepingcomputer.com/news/security/new-python-malware-backdoors-vmware-esxi-servers-for-remote-access/

Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it

1 comment

Chris.Childerhose
Userlevel 7
Badge +20

I am not into programming but find these topics very interesting to read.  Thanks for sharing.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions