1.0 Introduction
Recently, VMWare has released "Protecting vSphere From Specialized Malware", addressing malware artefacts known as VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), which are used to exploit and gain persistent access to instances of ESXi.
2.0 Affected Products
• VMWare ESXi
3.0 Impact
Allows exploitation and gaining persistent access to instances of ESXi.
4.0 Recommendations
Users and administrators employing VMWare ESXi are urged to review the following for more information and to apply recommended mitigations and threat hunting guidance:
• VMware: Protecting vSphere From Specialized Malware:
https://core.vmware.com/vsphere-esxi-mandiant-malware-persistence
• VMware: Knowledge Base 89619 - Mitigation and Threat Hunting Guidance for Unsigned vSphere Installation Bundles (VIBs) in ESXi (including a script to audit ESXi hosts):
https://kb.vmware.com/s/article/89619
• VMWare: vSphere Security Configuration Guides (baseline hardening guidance for VMware vSphere):
https://via.vmw.com/scg
Generally, MyCERT advises users to be updated with the latest security announcements by the vendor and follow best practices and security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
• https://www.cisa.gov/uscert/ncas/current-activity/2022/09/29/vmware-releases-guidance-virtualpita-virtualpie-and-virtualgate
• https://core.vmware.com/vsphere-esxi-mandiant-malware-persistence
• https://kb.vmware.com/s/article/89619
• https://via.vmw.com/scg