BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • The fixed 2021 vulnerability is actively used in attacks on VMware ESXi servers


    The ESXiArgs campaign has already affected about 3200 servers - administrators were urged to scan their systems.

    The French Computer Emergency Response Team (CERT-FR) has warned that attackers are actively exploiting the 2021 RCE vulnerability in unpatched VMware ESXi servers to deploy the new ESXiArgs ransomware.

    Heap buffer overflow RCE vulnerability in OpenSLP service CVE-2021-21974 (CVSS: 8.8) could be exploited by an unauthenticated attacker. It is worth noting that a bug fix was released in February 2021.

    To block incoming attacks, administrators must disable the vulnerable Service Location Protocol (SLP) on ESXi hypervisors that have not yet been updated. CERT-FR added that non-updated systems should also be scanned for signs of compromise.

    CVE-2021-21974 affects the following systems:

    ESXi version 7.x up to ESXi70U1c-17325551;
    ESXi version 6.7.x up to ESXi670-202102401-SG;
    ESXi version 6.5.x up to ESXi650-202102101-SG.

    According to Censys, around 3,200 VMware ESXi servers worldwide were compromised in the ESXiArgs ransomware campaign. This malware encrypts ".vmxf", ".vmx", ".vmdk", ".vmsd", and ".nvram" files on compromised ESXi servers and creates an ".args" file for each encrypted document with metadata (probably required for decryption).

    On infected systems, ESXiArgs leaves a ransom note called "ransom.html" and "How to Restore Your Files.html" in ".html" or ".txt" format.

    Michael Gillespie of ID Ransomware analyzed the ransomware and stated that the encrypted files cannot be decrypted. For encryption, ESXiArgs generates 32 bytes using a secure pseudo-random number generator (CPRNG) and then this key is used to encrypt the file using Sosemanuk, a secure stream cipher. The file key is encrypted with RSA and appended to the end of the file.

    The use of the Sosemanuk algorithm indicates that ESXiArgs is likely based on a leaked Babuk source code that was previously used in other anti-ESXi campaigns such as CheersCrypt.

    Earlier, cybersecurity researcher Will Thomas of the Equinix Threat Intelligence Center (ETAC) discovered that a new version of the Royal Ransomware ransomware added support for encrypting Linux devices to attack VMware ESXi virtual machines.

    For those affected, security researcher Enes Sonmez has created a guide to help administrators reconfigure their virtual machines and recover data for free. And specialists from BleepingComputer have launched a special ESXiArgs support thread where people report their experience with this attack and get help in recovering machines.

    Author DeepWeb
    White hat hackers release VMware vRealize Log RCE exploit
    Google Play has let scammers into its store again

    Comments 0

    Add comment