- Juniper Networks researchers spotted an undocumented Python backdoor targeting VMware ESXi servers.
- Researchers noticed several indications that this attack was designed specifically to target ESXi.
- Researchers state that the implanted backdoor is notable for its simplicity, persistence, and capabilities.
Juniper Networks researchers announced that they have found an undocumented Python backdoor, allowing attackers to execute commands remotely. Most commonly, attackers are exploiting two vulnerabilities in the ESXi’s OpenSLP service (CVE-2019-5544 and CVE-2020-3992) to attack unpatched ESXi servers. Due to limited log retention on compromised devices, it is difficult to be sure which vulnerability is enabling attackers to access the server.
Researchers stated that they have discovered multiple indicators that show that the attack was designed specifically to target ESXi servers. The file’s name and location were chosen to raise little suspicion on a virtualization host. It starts with a VMware copyright consistent with publicly available examples and taken from an existing Python file.
#!/bin/python """ Copyright 2011 - 2014 VMware, Inc. All rights reserved. This module starts debug tools """ from http.server import BaseHTTPRequestHandler, HTTPServer
The script launches a web server that is capable of accepting accepts password-protected POST requests. It can be used in two ways:
- It can run arbitrary remote commands and display the results as a webpage.
- It can launch a reverse shell to the host and port of the attacker’s choice.
This server binds to port 8008 on the local IP address 127.0.0.1 and accepts 5 misleadingly named parameters:
- server_namespace: password protecting the backdoor from unintended use
- server_instance: either “local” (run commands directly) or “remote” (reverse shell)
- operation_id: command to execute (“local” only)
- envelope and path_set: host and port, respectively, for the reverse shell (“remote” only)
- Apply all vendor patches as soon as possible.
- Restrict incoming network connections to trusted hosts.
- Check the contents and/or existence of the four files detailed above. By default, local.sh should contain only comments and an exit statement.
- Check all modified persistent system files for unexpected changes.