penguins on the run

[update]Two year old vulnerability used in ransomware attack against VMware ESXi

On Friday and over the weekend, several Computer Emergency Response Teams (CERTs) sounded the alarm about an ongoing large scale ransomware attack on VMware ESXi virtual machines.

With some discrepancies between Shodan queries from various researchers, most agree that an estimated 500 entities were affected by the attack over the weekend.

Old vulnerability

The suspected vulnerability, which is listed as CVE-2021-21974 was patched by VMware almost two years ago. The vulnerability can be found in OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) and is a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. Heap memory is used by all the parts of an application as opposed to stack memory which is used by only one thread of execution.

Mitigation

The products that are vulnerable for CVE-2021-21974 are VMware ESXi, and VMware Cloud Foundation (Cloud Foundation).To remediate CVE-2021-21974 apply the updates listed under 3b in the ‘Fixed Version’ column of the ‘Response Matrix’ to affected deployments.

The fixed versions are:

  • For ESXi 7.0: ESXi70U1c-17325551 or later
  • For ESXi 6.7: ESXi670-202102401-SG or later
  • For ESXi 6.5: ESXi650-202102101-SG or later
  • For Cloud Foundation (ESXi) 4.x: 4.2 or later
  • For Cloud Foundation (ESXi) 3.x: please refer to VMware KB82705

A recommended workaround if you are not using the OpenSLP service in ESXi is to disable the SLP service on VMware ESXi.

Malwarebytes Endpoint Agent for Linux machines detects and removes Ransom.ELF.ESXi.Attacks.

Ransomware

Even though Proof-of-Concept (PoC) instructions were posted only a few months after the vulnerability was patched we haven’t seen any reports of the exploit being used in the wild before February 3, 2023. The attack was aimed at vulnerable ESXi servers that are exposed to the internet on port 427. The threat actor runs an encryption process which is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”). Although some researchers have found instances where only the configuration files were encrypted. More on that later.

The ransomware group that reportedly launched this large-scale attack dubbed ESXiArgs against vulnerable ESXi is believed to be the new Nevada ransomware group.

Recently, it became known that the Royal ransomware group had added the ability to target Linux machines to their arsenal. With the transition of organizations to Virtual Machines (VMs) a Linux based ransomware version allows them to target the very popular ESXi virtual machines.

Decryptable

Security researcher Matthieu Garin posted on social media that the attackers only encrypt the config files, and not the vmdk disks where the data is stored. In such cases, the Enes.dev website may be of help to you. The guide explains how admins can rebuild their virtual machines and recover their data for free.

According to research from BleepingComputer, the encryption routine itself is secure, which means there are no cryptography bugs that allow free decryption.

Disclaimers

Nevada may turn out to be the Linux variant of a well-known ransomware group.

While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696CVE-2022-31697CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.

There may be special circumstances at work in the cases where only the config files were encrypted. For example the ransomware tries to stop the VM so it can encrypt the file, but this may not always be successful in which cases the damage is limited to the config files.

When more details become available we will keep you updated here.

Update February 8, 2023

CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware.ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks. CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment. CISA compiled this tool based on publicly available resources, including the tutorial by Enes Sonmez and Ahmet Aykac mentioned earlier.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.