Massive ransomware campaign targets unpatched VMware servers via old vulnerability
ESXiArgs ransomware exploits CVE-2021-21974, patched in 2021, to hack ESXi hypervisors
Unidentified attackers have begun a widespread ransomware campaign with the goal of infecting thousands of unpatched VMware ESXi servers by using a vulnerability that was patched about two years ago.
The French CERT (CERT-FR) and the French cloud computing firm OVH were the first to raise the alarm last week, claiming that the attackers were exploiting a security flaw tracked as CVE-2021-21974 to target ESXi hypervisors.
"As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," CERT-FR said.
"The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7," it added.
According to security experts, CVE-2021-21974 is caused by a memory overflow in the OpenSLP service, which unauthenticated threat actors may use to remotely execute code without requiring prior authentication.
The new ransomware family that has been dubbed "ESXiArgs" encrypts files with the .vmx, .vmxf, .vmsd, .vmdk, and .nvram extensions on hacked ESXi hosts and generates .args files for each encrypted document.
Michael Gillespie of ID Ransomware examined a copy of the ESXiArgs encryptor and found that it was secure with no obvious cryptographic weaknesses that would enable decryption.
According to Italian cybersecurity experts, the ESXi issue might be exploited by unauthenticated actors in low-complexity attacks that do not depend on employee passwords or secrets.
A Censys search found that the ESXiArgs ransomware campaign has so far impacted more than 3,200 VMware systems globally. France has been hit the worst, followed by the United States, Germany, Canada and the UK.
Who is responsible for this massive ransomware campaign remains unclear. OVHcloud initially attributed this campaign to the Nevada ransomware group, although it later retracted the claim.
Security researcher Enes Sonmez has released a manual which may enable VMware administrators targeted by these attacks to rebuild their virtual machines and retrieve data for free.
Overall, the ransomware campaign does not seem to have been very successful, with just four ransom payments totalling $88,000 reported by the Ransomwhere ransom payment tracking service.
VMware advises users to apply the latest security updates and deactivate the vulnerable Service Location Protocol (SLP) service on internet-exposed ESXi servers. The company clarified that the attackers aren't taking advantage of any zero-day vulnerability, and that the SLP service is deactivated by default in ESXi software updates released after 2021.
"Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)," VMware said.
"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities."
CERT-FR strongly advises applying the patches as soon as possible, as well as scanning unpatched systems for evidence of infection.