Exploit found by researchers on VMware ESXi servers, which allows criminals to send remote commands to the compromised infrastructure
VMware ESXi virtualization servers are the target of a backdoor recently discovered by security experts, which allows remote code execution to carry out attacks. The Python-based exploit was on unidentified corporate infrastructure and relied on two known security holes to work.
- FBI warns of ransomware attacks targeting VPN servers
- Ransomware against Linux servers increased by 75% in 2022
According to Juniper Networks experts, who disclosed the threat, the criminals responsible for the compromise used localized vulnerabilities in 2019 and 2020. CVE-2019-5544 and CVE-2020-3992 target a system called OpenSLP, a service of open code for localization and configuration of platforms connected to the network.
The two openings have already been patched by VMware, but as the discovery showed, they are still used by cybercriminals. The network compromise vector, however, was not verifiable, as logs were insufficient; Juniper Networks, on the other hand, had clear intentions of establishing network persistence and carrying out targeted attacks on virtualization servers.
The backdoor is capable of rewriting files which remain intact even while rebooting the machine. Executed together with other systems during server startup, the parasite allows the reception of encrypted commands, sent by the criminals in such a way as to make detection difficult. The result is executing malicious code on compromised machines and carrying out different types of attacks; indications are of a campaign in preparation, as no further compromises have been detected.
Juniper Networks also points out that the parasite itself is cross-platform, being able to act against Unix and Linux systems. However, there are lines of code that specifically mention characteristics of VMware ESXi servers, suggesting that this is a targeted operation, with malware created specifically for this platform.
The cybersecurity firm has released indicators of compromise and technical details that help detect any compromises. Also, the recommendation is to update all servers and use systems to monitor connections and file changes, especially those performed during machine restarts; only trusted remote connections should be allowed, in order to prevent even new remote compromises.
Source: Juniper nets
Trending on Canaltech:
- Instagram launches notes in DMs, improvements in “Your Turn” and collaborative collections
- Method discovered that can cure depression in just 2 hours
- What if a person only eats meat?
- Flashing | Can Christmas lights increase your electric bill?
- What explains Wandinha’s success on Netflix?
- Sleeping with a heavy blanket can promote melatonin production
🇧🇷The best content in your email for free. Choose your favorite Terra newsletter. Click here!
Source: Terra
Camila Luna is a writer at Gossipify, where she covers the latest movies and television series. With a passion for all things entertainment, Camila brings her unique perspective to her writing and offers readers an inside look at the industry. Camila is a graduate from the University of California, Los Angeles (UCLA) with a degree in English and is also a avid movie watcher.
