The fixed 2021 vulnerability is actively used in attacks on VMware ESXi servers

1 month ago · 0 comments

The ESXiArgs campaign has already affected about 3200 servers - administrators were urged to scan their systems.

The French Computer Emergency Response Team (CERT-FR) has warned that attackers are actively exploiting the 2021 RCE vulnerability in unpatched VMware ESXi servers to deploy the new ESXiArgs ransomware.

Heap buffer overflow RCE vulnerability in OpenSLP service CVE-2021-21974 (CVSS: 8.8) could be exploited by an unauthenticated attacker. It is worth noting that a bug fix was released in February 2021.

To block incoming attacks, administrators must disable the vulnerable Service Location Protocol (SLP) on ESXi hypervisors that have not yet been updated. CERT-FR added that non-updated systems should also be scanned for signs of compromise.

CVE-2021-21974 affects the following systems:

ESXi version 7.x up to ESXi70U1c-17325551;
ESXi version 6.7.x up to ESXi670-202102401-SG;
ESXi version 6.5.x up to ESXi650-202102101-SG.

According to Censys, around 3,200 VMware ESXi servers worldwide were compromised in the ESXiArgs ransomware campaign. This malware encrypts ".vmxf", ".vmx", ".vmdk", ".vmsd", and ".nvram" files on compromised ESXi servers and creates an ".args" file for each encrypted document with metadata (probably required for decryption).

On infected systems, ESXiArgs leaves a ransom note called "ransom.html" and "How to Restore Your Files.html" in ".html" or ".txt" format.

Michael Gillespie of ID Ransomware analyzed the ransomware and stated that the encrypted files cannot be decrypted. For encryption, ESXiArgs generates 32 bytes using a secure pseudo-random number generator (CPRNG) and then this key is used to encrypt the file using Sosemanuk, a secure stream cipher. The file key is encrypted with RSA and appended to the end of the file.

The use of the Sosemanuk algorithm indicates that ESXiArgs is likely based on a leaked Babuk source code that was previously used in other anti-ESXi campaigns such as CheersCrypt.

Earlier, cybersecurity researcher Will Thomas of the Equinix Threat Intelligence Center (ETAC) discovered that a new version of the Royal Ransomware ransomware added support for encrypting Linux devices to attack VMware ESXi virtual machines.

For those affected, security researcher Enes Sonmez has created a guide to help administrators reconfigure their virtual machines and recover data for free. And specialists from BleepingComputer have launched a special ESXiArgs support thread where people report their experience with this attack and get help in recovering machines.