Published: February 7, 2023

Overview

A ransomware attack is targeting VMWare ESXi servers worldwide with a ransomware strain called ESXiArgs. This ransomware campaign is leveraging an old heap overflow vulnerability (CVE-2021-21974) in the OpenSLP (Service Location Protocol) service used in ESXi servers.

Background

OpenSLP vulnerability (CVE-2021-1974) is a heap overflow vulnerability (with CVSSv3 score of 8.8) that can be exploited by an actor who has access to its TCP port. This exploitation can lead to Remote Code Execution. And this is what is manipulated by the ESXiArgs ransomware.

Impact

The OpenSLP vulnerability enables the ransomware campaign to execute code remotely and ransom attack the victim. The victim’s data is encrypted using a public key deployed by the malware. The malware targets virtual machine files (.vmdk .vmx .vmxf, etc.) for encryption.

The malware tries to shut down the virtual machines to unlock the files so that they can be encrypted. This may not happen for every virtual file, so the malware is not able to encrypt every virtual machine file.

Applicable Versions

This OpenSLP vulnerability (CVE-2021-21974) can be easily exploited by a threat actor who has access to the OpenSLP TCP port 427 of the ESXi server resulting in Remote Code Execution which can be used for ransomware attack. The ESXi servers which are public facing and easily accessible through public net are vulnerable to this ransomware attack.

Since the vulnerability is an old bug, it is likely that patch has been applied to ESXi server. However, the patching requires downtime of the ESXi server, so many might not have updated the fix.

Affected OS Versions

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

Patch Versions

  • ESXi70U1c-17325551 for 7.0
  • ESXi670-202102401-SG for 6.7
  • ESXi650-202102101-SG for 6.5

Mitigations / Workarounds

  • Apply the patch to the effected above versions with the corresponding patched versions.
  • Backup your system data regularly with a robust data backup system so that data is not lost due to ransomware attack.
  • Disable the OpenSLP service on VMWare ESXi servers.

Netsurion Detection and Response

At this time, our Netsurion Managed Open XDR security experts have determined that no Netsurion infrastructure, products, or modules have been found to be impacted as the ESXi servers in Netsurion network is already updated with the patch for CVE-2021-21974.

Our Security Operations Center (SOC) will detect and report any related ESXi (OpenSLP) vulnerabilities to our customers and partners who subscribe to Netsurion Vulnerability Management.

Indicators of Compromise (IoCs)

  • The encryption process is specifically targeting virtual machine files (“.vmdk”, “.vmx”, “vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, “.vmem”)
  • The malware tries to shut down virtual machines by killing the VMX process to unlock the files
  • The malware creates “argsfile” to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
  • Partial encryption files

When the server is breached, the following files are stored in the /tmp folder:

  • encrypt – the encryptor ELF executable
  • encrypt.sh – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.
  • public.pem – A public RSA key used to encrypt the key that encrypts a file.
  • motd – The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server’s original file will be copied to /etc/motd1.
  • index.html – The ransom note in HTML form that will replace VMware ESXi’s home page. The server’s original file will be copied to index1.html in the same folder.

Detection by Netsurion Vulnerability Management Service

The Netsurion Vulnerability Management System signature database has long been updated with CVE-2021-21974 detection and can be used to scan this vulnerability easily in hosted environment.

Contact your Netsurion Account Manager with any questions.

References: