In order to propagate the ESXiArgs ransomware, attackers actively target VMware ESXi servers that have not yet gotten a patch for a two-year-old remote code execution vulnerability, according to administrators, hosting firms, with the French Computer Emergency Response Team (CERT-FR). The OpenSLP service’s heap overflow issue is the cause of the security flaw, known as CVE-2021-21974, which unauthenticated threat actors can exploit to launch simple attacks.
According to the CERT-FR, these attack activities “appears to be exploiting the vulnerability CVE-2021-21974, for which a fix has been available since February 23, 2021. “ESXi hypervisors in version 6.x and earlier would be the systems currently targeted,” the statement continued. Administrators must disable the vulnerable Service Location Protocol (SLP) service on un-updated ESXi hypervisors in order to thwart incoming attacks.
The patch should be installed as soon as feasible; however, CERT-FR also advises scanning systems that have not yet been patched for evidence of compromise.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
The large wave of attacks against VMware ESXi servers has been linked to the Nevada ransomware operation, according to a study released today by the French cloud service provider OVHcloud.
“Authorities and ecosystem specialists believe they could be connected to the Nevada ransomware because they use the CVE-2021-21974 vulnerability as a compromise vector. Investigations are still being conducted to support such hypotheses “Julien Levrard, CISO of OVHcloud, said.
The attack appears to be using the OpenSLP port (427), which predominantly targets ESXi servers older than 7.0 U3i.
New ESXiArgs ransomware encrypts files
But judging by the ransom notes in this attack, they don’t seem connected to the Nevada Ransomware and instead seem to be part of a brand-new ransomware family.
On infected ESXi hosts, the ransomware encrypts files with the.vmxf,.vmx,.vmdk,.vmsd, and.nvram extensions and generates an.args file with metadata for each encrypted file (likely needed for decryption).
The threat actors claimed to have stolen data in this attack. “According to the results of our investigation, no data has been compromised. We observed traffic statistics for the last 90 days and couldn’t find any indication of outgoing data transfer, “Admin” said. In our example, the hacked system had more than 500 GB of data but only used 2 Mbps regularly.
On closed systems, ransom notes with the filenames “ransom.html” and also “How to Restore Your Files.html” have also been discovered by victims. Others claimed that their notes were stored in unencrypted files.
Ransomware Targeting VMware ESXi
Fortunately, the ransomware used in this attack is really bad. French cloud provider OVH saw the effort, and they believe that the encryption occasionally fails, but the data is not exfiltrated. Tools for decryption are already accessible.
The organization has also seen the following signs of compromise. It has been determined that the compromise vector makes use of an OpenSLP vulnerability that may be CVE-2021-21974 (still to be confirmed). The user dc-ui is identified in the logs as involved in the compromised procedure.
A public key placed by the malware in /tmp/public.pem is used for encryption. Virtual machine files (.vmdk,.vmx,.vmxf,.vmsd,.vmsn,.vswp,.vmss,.nvram, *.vmem) are specifically targeted by the encryption process, which seeks to shut down virtual machines by destroying the VMX process in order to unlock the files.
Files remain locked because this function consistently fails to operate as planned. To save the arguments supplied to the encryption code, the virus produces an argsfile (number of MB to skip, number of MB in encryption block, file size).
Users should be able to tell if they were a target of this operation and may have contracted ransomware using the information above.
In the meantime, VMware issued a security advisory on February 2 regarding an Arbitrary file deletion vulnerability in its Workstation desktop hypervisor’s version 17.x. A hostile actor with local user access to the victim’s computer might use CVE-2023-20854 to remove arbitrary files from the machine’s file system, according to its 7.8/10 security rating.
French Computer Emergency Response Team, hosting businesses, and administrators (CERT-FR) issue a warning that attackers actively target VMware ESXi servers that have not yet received a patch for a two-year-old remote code execution vulnerability in order to spread the ESXiArgs ransomware. The security weakness, identified as CVE-2021-21974, results from heap overflow problems caused by a heap overflow issue in the OpenSLP service. Unauthenticated threat actors can utilize it to launch simple attacks. According to the CERT-FR, these attack activities appear to be exploiting the vulnerability CVE-2021-21974, for which a fix has been available since February 23, 2021. “ESXi hypervisors in version 6.x and earlier would be the systems currently targeted,” the statement continued. Administrators must disable the vulnerable Service Location Protocol (SLP) service on un-updated ESXi hypervisors in order to thwart incoming attacks. The patch should be installed as soon as feasible; however, CERT-FR also advises scanning systems that have not yet been patched for evidence of compromise.