How can we help?
VMWare has released a new patch set to remediate vulnerabilities in a number of their products, while (separately) ransomware threat actors have been seen to be shifting their Tactics, Techniques and Processes in order to target Linux infrastructures and, more specifically, the VMWare ESXi host devices.
VMware Workspace One Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.
The following products are affected by the vulnerabilities for which patches have been released:
- VMware Workspace One Access (Access) versions 20.10 & 20.10.01
- VMware Identity Manager (vIDM) version 3.3.5, 3.3.4, 3.3.3 & 3.3.2
- VMware vRealize Automation (vRA) version 8.x & 7.6
- VMware Cloud Foundation version 4.x
- vRealize Suite Lifecycle Manager version 8.x
A number of popular vulnerability management systems have already updated their detection mechanisms to identify the vulnerabilities. Another, less reliable, mechanism would be to try accessing the /cfg web application via port 443 using a customised header.
Ransomware group BackMatter (a possible rebrand of the DarkSide ransomware group) have developed a version of their ransomware encryptor that works on Linux and are actively targeting VMWare ESXi host machines. This does make strategic sense for the group given that VMWare ESXi is the most popular virtual machine platform and that encrypting the host platform is more efficient than targeting individual servers which they may not have identified, may be offline at the time, or be on a network with in inaccessible to them. BlackMatter are not the only ransomware group now targeting Linux and specifically VMWare ESXi, REvil, HelloKitty, Babuk, RansomExx/Defray, Mespinoza, and GoGoogle have also created Linux encryptors for this purpose.
Indicators of Compromise
There are no IoC’s available for the VMWare vulnerabilities remediated by the latest patch release, however, security researcher Vitali Kremez reverse engineered a sample of the BlackMatter’s Linux Encryptor and identified:
The creation of an “esxi_utils” library:
bool app::esxi_utils::get_domain_name(std::vector >&)
bool app::esxi_utils::get_running_vms(std::vector >&)
bool app::esxi_utils::get_process_list(std::vector >&)
bool app::esxi_utils::get_os_version(std::vector >&)
bool app::esxi_utils::get_storage_list(std::vector >&)
bool app::esxi_utils::stop_vm(const string&)
Each of these functions execute different commands via the legitimate esxcli command-line tool.
Unexpected/unauthorised shutting down of virtual machines on a host
Containment, Mitigations & Remediations
Patches have been released, for most of the affected products, to remediate the identified vulnerabilities and can be linked to via the VMWare security advisory in the Further Information section. If it is not possible to apply the patches, workarounds for some (but not all) products have been identified and can be linked to via the VMWare Knowledgebase (kb) articles listed in the Further Information section.
It is advisable, wherever possible, to implement detection and alerting of the presence and execution of the libraries and functions listed under the IoC’s section.