Re: vmWare Security Compromised

cve_ZA · ‎02-26-2018

Hi All.

I hope that this has been posted in the correct forum section, I would like
to find out if anyone else is seeing the same thing within each of your own
environment.

On Thursday 22nd Feb 2018 we noticed extremely high CPU usage within our 1 vmWare
cluster which consist of 3 physical hosts. After further investigation we
noticed the same in our other clusters.

When signing into the cluster we could not account for the high utilization.
Each individual virtual servers usage did not account for the high utilization,
something else was causing this.

We then signed into each host directly and what we found was rather
disturbing. A virtual server on that host that our team did not provision or
had any idea about. When we connect to this virtual server we noted ubuntu OS
and this virtual server had 16GB RAM and 32vCPU assigned to it. The CPU’s where
operating at peaking 100%. After further investigation each host within our
organization had 1 unknown virtual server on it. All these virtual servers had
16GB RAM and 32vCPU’s running at at 100%. These virtual servers we’re somehow
hidden from the main cluster. These servers all had the word LAB in it's name.

Has anyone else picked this up?

Sorry forgot to mention that we're running vmware esxi 6.0.

mprazeres183 · ‎02-27-2018

Hi cve_ZA ,

First question, did you already deploy the Security Patches for the Spectre and Meltdown?

VMware Knowledge Base

If not, please go ahead and install those Patches ASAP.
It looks like you where hacked in to the vCenter / ESXi Hosts and your infrastructure was used to MINE / BTC / LTC whatever.

We had a similar issue on our TEST environment that wasn't Patched.

Furthermore, change the Root Passwords of each ESXi Host, change the Passwort of the vCenters and all attached Storage - NFS - or tools that are directly speaking collaborating with vCenter at all.

Then check with your Firewall team, or yourself to block incoming traffic, there is a option called: Block Brute Force attacks ( You can say: If IP xy tried more than 5 times in less than 10 Seconds or such block the IP) To be sure that you are not under Attack anymore.

Hope you get ridd of it asap.

Best regards,
Marco

Check my blog, and if my answere resolved the issue, please provide a feedback. Marco Frias - VMware is my World www.vmtn.blog

cve_ZA · ‎02-28-2018

Greeting mprazes183.

Thanks for your reply, Yes we've patch everything as well as changed password and disabled unused accounts. What we now trying to identify is what was deployed into our environment and if possible if there is any reference to it on the web. I can confirm that it's an UBUNTU OS and this was assigned 16GB RAM and 32 vCPU's