Overview
VMware released a security advisory on February 6th, 2023, about the ongoing attack of a vulnerability in ESXi’s OpenSLP service. This new ransomware campaign targets public-facing ESXi servers worldwide. The campaign is growing exponentially and there were approximately 3,000 victims as of the morning of Monday, Feb. 6th, 2023. The new malware variant, ESXiArgs, exploits a remote code execution vulnerability. It’s important to note that the malicious actors are leveraging a two-year-old vulnerability (CVE-2021-21974). This attack reveals the magnitude of how many servers have been left unpatched, along with the SLP service still running, and the OpenSLP port (427) still exposed, over the course of the past two years. CVE-2021-21974 affects the following systems:
ESXi Vulnerable Versions
|
Product |
Vulnerable Versions |
|
ESXi 7.0 |
All 7.0 versions prior to ESXi70U1c-17325551 |
|
ESXi 6.7 |
All 6.7 versions prior to ESXi670-202102401-SG |
|
ESXi 6.5 |
All 6.5 versions prior to ESXi650-202102101-SG |
ESXi Latest Versions
|
Product |
Latest Version |
|
ESXi 8.0 |
ESXi80a-20842819 |
|
ESXi 7.0 |
ESXi70U3si-20841705 |
|
ESXi 6.7 |
ESXi670-202210001 |
Once ESXiArgs gains access to a VMware ESXi server, ESXiArgs deploys the encrypt[.]sh to perform various tasks on the /tmp folder before running the encryption tool. OVHCloud confirmed that the adversary behind the attack exhibited the following characteristics:
- Exploited CVE-2021-21974 for initial access.
- Encrypted the victim’s files with the public key.
- Targeted virtual machine files extensions such as (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
- Attempted to shut down the virtual machine VMX process to unlock files.
- Created “argsfile” to store arguments passed to the encrypted binary.
Something to look out for is that ESXiArgs evades detection by deleting itself from the /store/packages/vmtools.py. Open-source news media noted that there were ransomware notes obtained and left behind, ESXiArgs appended the encrypted files with the “. args” file extension, including ransom[.]html and “How to Restore Your Files”[.]html.
Recommendations
If you have ESXi servers, below are recommendations to secure against the threat, as made available to us so far.
- Patch or upgrade your ESXi servers.
- Disable SLP Service if you are not able to patch immediately.
- Do not expose ESXi servers directly to the Internet.
If you have not been affected by this vulnerability, it is important to patch the server as soon as possible. You must also disable the SLP service, and make the servers unreachable from the internet.
Sources
https://www.vmware.com/security/advisories/VMSA-2022-0033.html – VMWare Advisoryhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974 – CVEhttps://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
