Researchers at the Threat Labs of Juniper Networks have discovered a new Python-based backdoor that targets VMware ESXi virtualization servers.
Although the targeted servers were affected by well-known security flaws (like CVE-2019-5544 and CVE-2020-3992) that were probably used for the initial compromise, the researchers were more interested in the backdoor’s ease of use, persistence, and capabilities. To ensure the persistent execution of a Python script at startup, the threat actor modified a total of four files on the target, which the system backs up and restores after a reboot.
Also Read: Four Critical Cloud Security Risks that Businesses Need to Address
By altering file timestamps and selecting particular files that wouldn’t attract much attention on a virtualization host, the attackers also tried to conceal the backdoor’s existence on the system.
Read More: New Python-Based Backdoor Targeting VMware ESXi Servers