VMware Cloud Community
cve_ZA
Contributor
Contributor
‎02-26-2018 06:30 AM

vmWare Security Compromised

Hi All.

I hope that this has been posted in the correct forum section, I would like
to find out if anyone else is seeing the same thing within each of your own
environment.

On Thursday 22nd Feb 2018 we noticed extremely high CPU usage within our 1 vmWare
cluster which consist of 3 physical hosts. After further investigation we
noticed the same in our other clusters.

When signing into the cluster we could not account for the high utilization.
Each individual virtual servers usage did not account for the high utilization,
something else was causing this.

We then signed into each host directly and what we found was rather
disturbing. A virtual server on that host that our team did not provision or
had any idea about. When we connect to this virtual server we noted ubuntu OS
and this virtual server had 16GB RAM and 32vCPU assigned to it. The CPU’s where
operating at peaking 100%. After further investigation each host within our
organization had 1 unknown virtual server on it. All these virtual servers had
16GB RAM and 32vCPU’s running at at 100%. These virtual servers we’re somehow
hidden from the main cluster. These servers all had the word LAB in it's name.

Has anyone else picked this up?

Sorry forgot to mention that we're running vmware esxi 6.0.

0 Kudos
5 Replies
bwilsey84
Enthusiast
Enthusiast
‎02-26-2018 06:53 AM

What versions are your hosts/vcenter running? I've noticed high CPU usage from a host but it was on an isolated LAN

0 Kudos
cve_ZA
Contributor
Contributor
‎02-26-2018 08:55 AM

We're running esxi 6.0

0 Kudos
klabiak
Enthusiast
Enthusiast
‎02-26-2018 04:09 PM

Are you sure none in your institution created lab vms?

I wonder if there was some logs, task/events for this systems so you can trace from where they was created.

0 Kudos
TheBobkin
Champion
Champion
‎02-26-2018 05:04 PM

Hello cve_ZA

Yes, it is possible to prevent VMs from being visible from a vCenter/vSphere level:

http://www.virten.net/2015/10/how-to-hide-a-virtual-machine/

@klabiak

"I wonder if there was some logs, task/events for this systems so you can trace from where they was created."

Yes there *should* be connection logs from users and for such tasks but whether they are still present depends on log retention and when this was initiated.

If no-one that had/has access to your infrastructure that would have created such VMs then the naming of 'LAB' is potentially part of the ruse - evaluate your current security configuration for vulnerabilities and remediate any holes such as compromised users.

Bob

0 Kudos
cve_ZA
Contributor
Contributor
‎02-28-2018 04:29 AM

Hi All.

I can confirm that this was NOT created by anyone in our organization, also
note that the company who does have access to our environment that monitors our
vmWare infrastructure for us has noted that what we have experienced has in
fact being experienced by about 5 other clients of theirs all
within South Africa.

0 Kudos