Overview

VMware released a security advisory on February 6th, 2023, about the ongoing attack of a vulnerability in ESXi’s OpenSLP service. This new ransomware campaign targets public-facing ESXi servers worldwide. The campaign is growing exponentially and there were approximately 3,000 victims as of the morning of Monday, Feb. 6th, 2023. The new malware variant, ESXiArgs, exploits a remote code execution vulnerability. It’s important to note that the malicious actors are leveraging a two-year-old vulnerability (CVE-2021-21974). This attack reveals the magnitude of how many servers have been left unpatched, along with the SLP service still running, and the OpenSLP port (427) still exposed, over the course of the past two years. CVE-2021-21974 affects the following systems:

ESXi Vulnerable Versions

Product

Vulnerable Versions

ESXi 7.0

All 7.0 versions prior to ESXi70U1c-17325551

ESXi 6.7

All 6.7 versions prior to ESXi670-202102401-SG

ESXi 6.5

All 6.5 versions prior to ESXi650-202102101-SG

ESXi Latest Versions

Product

Latest Version

ESXi 8.0

ESXi80a-20842819

ESXi 7.0

ESXi70U3si-20841705

ESXi 6.7

ESXi670-202210001

Once ESXiArgs gains access to a VMware ESXi server, ESXiArgs deploys the encrypt[.]sh to perform various tasks on the /tmp folder before running the encryption tool. OVHCloud confirmed that the adversary behind the attack exhibited the following characteristics:

  • Exploited CVE-2021-21974 for initial access.
  • Encrypted the victim’s files with the public key.
  • Targeted virtual machine files extensions such as (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
  • Attempted to shut down the virtual machine VMX process to unlock files.
  • Created “argsfile” to store arguments passed to the encrypted binary.

Something to look out for is that ESXiArgs evades detection by deleting itself from the /store/packages/vmtools.py. Open-source news media noted that there were ransomware notes obtained and left behind, ESXiArgs appended the encrypted files with the “. args” file extension, including ransom[.]html and “How to Restore Your Files”[.]html.

Recommendations

If you have ESXi servers, below are recommendations to secure against the threat, as made available to us so far.

  1. Patch or upgrade your ESXi servers.
  2. Disable SLP Service if you are not able to patch immediately.
  3. Do not expose ESXi servers directly to the Internet.

If you have not been affected by this vulnerability, it is important to patch the server as soon as possible. You must also disable the SLP service, and make the servers unreachable from the internet.

Sources

https://www.vmware.com/security/advisories/VMSA-2022-0033.html – VMWare Advisoryhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974 – CVEhttps://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/