VMware Security Response Center

Protecting vSphere From Specialized Malware

Over the past few years, threat actors have adapted their tactics to focus more on specific operating systems and operating environments that carry the most sensitive data, or where an attack can have the greatest effect. By increasing the development and use of specialized techniques, cyber criminals increase their opportunities to steal intellectual property, ransom and extort their victims, and extort victims’ customers. Malicious actors gain access to these target environments through a variety of methods, often focused on operational security weaknesses in credential management, network security practices, and unhardened operating environments.

Mandiant has brought to our attention a new variant of malware targeting vSphere. This malware differs in that it supports remaining both persistent and covert, which is consistent with the goals of larger threat actors and APT groups who target strategic institutions with the intention of dwelling undetected for some time. This contrasts with other threat actors and their toolkits who conduct “noisy,” financially-motivated attacks using ransomware.

We would like to thank Mandiant for sharing their findings. You can find much more information about specific detection and mitigation techniques for these issues, questions & answers, as well as preventative techniques for strengthening operational security, secure configuration practices, and defense-in-depth in our document “Protecting vSphere From Specialized Malware” at core.vmware.com.