Following several reports from security firms and cyber security publications it is apparent several ransomware gangs are actively exploiting a two-year-old vulnerability that allows for remote code execution on VMWare ESXi servers. One of the initial warnings was issued by the French Computer Emergency Response Team (CERT-FR) wh warned users of the above-mentioned servers that threat actors were abusing CVE-2021-21972.
News of the vulnerability broke in February 2021, where researchers described the flaw as a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform that may allow attackers to potentially take control of affected systems.
Ultimately, the flaw resides in a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in relatively low-complexity attacks.
The flaw was rated with a 9.8 out of 10 in terms of severity according to VMware's security advisory. The flaw has been patched and network administrators are advised strongly to double-check that if they make use of ESXi servers it has been patched. If unpatched admins can also disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors.
According to Julian Levrard, a security researcher with OVHCloud the ransomware strain used in the wild looked related to the Nevada ransomware strain. Levrard said,
“According to experts from the ecosystem as well as autorities, they might be related to Nevada ransomware and are using CVE-2021-21974 as compromission vector. Investigation are still ongoing to confirm those assumptions…The attack is primarily targetting ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port (427).”
This assertion that the threat actor was either using Nevada or a modified version thereof was quickly backtracked by OVHCloud, noting in an update,
“In the previous version of the post, we made the assumption the attack was linked to the Nevada Ransomware which was a mistake. No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions.”
Given that attribution is incredibly difficult it is completely understandable that mistakes can be made and often the truth is stranger than fiction.
While researchers looked to see who was responsible on the very first day of attacks seen in the wild the threat actor, likely threat actors given how modern ransomware operations operate have already encrypted approximately 120 ESXi servers. Researchers were soon to realize they were dealing with a new ransomware operation.
The new ransomware has been given the name ESXiArgs based on its primary target, at least for now, being vulnerable EXSi servers and the file after encryption that contains the metadata, named .args.
Currently, the ransomware adds the following extensions to encrypted files .vmxf, .vmx, .vmdk, .vmsd, and .nvram. On Bleeping Computer’s forum other information has been shared to assist victims. Bleeping Computer notes,
“Overall, the ransomware campaign has not seen much success considering the large number of encrypted devices, with the Ransomwhere ransom payment tracking service reporting only four ransom payments for a total of $88,000…The lack of ransom payments is likely due to a VMware ESXi recovery guide created by security researcher Enes Sonmez, allowing many admins to rebuild their virtual machines and recover their data for free.”
For those looking to determine if threat actors distributing the new ransomware have breached your network, the malware will add the following files to /tmp:
- encrypt - The encryptor ELF executable.
- encrypt.sh - A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.
- public.pem - A public RSA key used to encrypt the key that encrypts a file.
- motd - The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server's original file will be copied to /etc/motd1.
- index.html - The ransom note in HTML form that will replace VMware ESXi's home page. The server's original file will be copied to index1.html in the same folder.
EXSiArgs is not the only ransomware strain seen to target the above-mentioned vulnerability. The malware developers behind the Royal ransomware strain have added a Linux version which researchers believe is to target vulnerable EXSi servers. The Linux version was discovered by Will Thomas who noted that it is executed via the command line. Some of the ransomware’s commands include:
- -stopvm> stops all running VMs so they can be encrypted
- -vmonly - Only encrypt virtual machines
- -fork - current functionality is yet to be determined
- -logs - current functionality is yet to be determined
- -id: id must be 32 characters
To help protect VMWare clients the company has advised the following,
“Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)...With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi."