Specialised Malware Targeting Unsigned vSphere Installation Bundles

Security researchers have released an advisory to address a specialised malware found in the wild targeting vSphere, which can be used to compromise computer systems. Security researchers found no evidence yet that a vulnerability in a VMware product was exploited to gain access to VMware ESXi during their investigations. 

Successful exploitation could allow an attacker to leverage unsigned vSphere Installation Bundles (VIBs) to install backdoors on a compromised ESXi host. It should be noted that the attacker must first obtain administrative privileges (root) on an ESXi host prior to installing a malicious VIB. 

To mitigate the risk of an attacker attaining persistence on a compromised ESXi host via malicious VIB installation, users of VMware are advised to enable the Secureboot feature in ESXi and contact their hardware vendor for steps on how to enable UEFI / Secureboot for their system.

More information is available here:

https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening

https://core.vmware.com/vsphere-esxi-mandiant-malware-persistence#introduction

https://kb.vmware.com/s/article/89619