Vulnerable VMware ESXi servers worldwide have been targeted over the past several days in a massive ransomware attack exploiting a flaw for which a patch was made available in 2021.
The attacks, which have come to be called ESXiArgs, are currently being analyzed by the cybersecurity world, but using the information available to date, it seems that threat actors are exploiting CVE-2021-21974—a high-severity ESXi OpenSLP heap overflow flaw that VMware patched almost a year ago (February 2021).
VMware said in its advisory last year, “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.”
Proof-of-concept (PoC) code and details on CVE-2021-21974 were made public a few months after the patches were announced but no previous reports of active exploitation.
The ransomware attacks that suddenly appeared over the weekend involve exploitation of the flaw to hack ESXi servers and drop a piece of malware that encrypts files tied virtual machines. File with extensions including .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem are being targeted, per French cloud service provider OVH. These attacks seem to focus on vulnerable ESXi servers with port 427 open to the public Internet.
Also noted by OVH is the way the malware shuts down VM processes before initiating its encryption routine—though the function does not seem to execute properly as in some instances files are only partially encrypted. The partial encryption allows victims to recover them without paying a ransom. Of note is that no evidence has been seen of data being exported from victim machines.
An initial incorrect attribution was made to ransomware named Nevada and Cheerscrypt (Emperor Dragonfly). It was only after more intensive research that they were linked to the new ESXiArgs ransomware operation.
According to security company Censys, more than two thousand ESXi instances appear to be impacted. At the time of writing, many antivirus providers do not have detection of the ESXiArgs malware as a capability.
Contact Webcheck today for a free discussion of how we can serve you and help your organization avoid falling victim to ESXiArgs and similar attacks.