Questions about VMware ESXi servers exploit - [Thread Split]

[ForgottenSeer 69673]

Did they also say it was companies without endpoint protection?

I have not used VMWare in so many years, I cannot remember how it works. Does it work its sessions using the hard drive or does it only use RAM?


Mod Edit: Thread split from Security News - Thousands unpatched VMware ESXi servers hit by Ransomware

 

[ForgottenSeer 98186]

Did they also say it was companies without endpoint protection?

I have not used VMWare in so many years, I cannot remember how it works. Does it work its sessions using the hard drive or does it only use RAM?

At a very high level, it is a network attack on the same network segment upon which the ESXi instance is located. There is no malware in the sense that you are referring to that is involved. The attacker uses specialized software to create specially constructed packets that it forwards to port 427. Once the packet is received it creates a memory exploit.

Some ESXi (a VMWare platform that hosts virtual machines and other VMWare products) instances were exposed directly to the internet and configured in a way that gave anybody who scanned for port 427 an open door.

Once the threat actor was inside they ran processes to encrypt VMWare file types. So technically, there is malicious code that executes, but it is on the ESXi platform. That platform does not have any endpoint protection or security software on it. Its protections are based solely upon proper and secure configuration and a well-protected network.

This is the Proof-of-Concept that was published on the internet (Medium.com) for months before VMWare issued a patch:

Did they also say it was companies without endpoint protection?

I have not used VMWare in so many years, I cannot remember how it works. Does it work its sessions using the hard drive or does it only use RAM?

It is a network attack that results in a memory exploit, then malicious code is run in-memory.

 

[ForgottenSeer 69673]

It is a network attack that results in a memory exploit, then malicious code is run in-memory.

Thank you. And so even after a reboot, does the exploit remains active?

 

[ForgottenSeer 98186]

Thank you. And so even after a reboot, does the exploit remains active?

The ESXi host can be rebooted, but by then, in this particular case, the VMWare file types have already been encrypted.

The exploit is always there until ESXi is patched. If the connection is lost, the attackers can just send another malicious packet after the reboot and re-exploit the system.

 

[ForgottenSeer 69673]

The ESXi host can be rebooted, but by then, in this particular case, the VMWare file types have already been encrypted.

The exploit is always there until ESXi is patched. If the connection is lost, the attackers can just send another malicious packet after the reboot and re-exploit the system.

How would this work?

1. Windows 11 Enterprise
2. Install a VM that is not VMWare, that uses very little resources and is set to only run on RAM by committing the files I chose to the hard drive.
3. Install a whitelisting firewall, allowing only access to Edge set to max for inbound and outbound.
4. Install Appguard with lots of tweaks.
5. install VMware inside the first running VM.
6. Make a full disk image with say Marcrium Reflect.
7. When rebooting, all changes to the host VM deletes all changes to the hard drive. Including the VMWare session and program.
8. Restore Image to get your VMWare setup back.

 

[ForgottenSeer 98186]

How would this work?

1. Windows 11 Enterprise
2. Install a VM that is not VMWare, that uses very little resources and is set to only run on RAM by committing the files I chose to the hard drive.
3. Install a whitelisting firewall, allowing only access to Edge set to max for inbound and outbound.
4. Install Appguard with lots of tweaks.
5. install VMware inside the first running VM.
6. Make a full disk image with say Marcrium Reflect.
7. When rebooting, all changes to the host VM deletes all changes to the hard drive. Including the VMWare session and program.
8. Restore Image to get your VMWare setup back.

The exploit is of ESXi. ESXi is not an application. It is not installed onto nor operates on an operating system. It is installed directly onto the hardware and integrates with it as it is a hypervisor.

 

[ForgottenSeer 69673]

The exploit is of ESXi. ESXi is not an application. It is not installed onto nor operates on an operating system. It is installed directly onto the hardware and integrates with it as it is a hypervisor.

Oh, I am sorry. I thought said its payload was in RAM. I guess I should stay out of these discussions.

 

[ForgottenSeer 98186]

Oh, I am sorry. I thought said its payload was in RAM. I guess I should stay out of these discussions.

You got it right. The malicious code is run in ESXi memory space. Then it encrypts the VMware (virtual machine) file types. Since the threat actor has access they can potentially "download" and run additional malicious code to do things such as attain persistence or pivot in the network.

At least you are thinking about it and trying to figure it out. That's important.

 

[ForgottenSeer 69673]

You got it right. The malicious code is run in ESXi memory space. Then it encrypts the VMware (virtual machine) file types. Since the threat actor has access they can potentially "download" and run additional malicious code to do things such as attain persistence or pivot in the network.

At least you are thinking about it and trying to figure it out. That's important.

Ok then. In the setup I suggested, the files would not be encrypted on the host at all. Only the first VM's RAM and after reboot, the entire system would be normal again. Think Shadow Defender and of course Appguards memory guard. Also with the firewall setup, they would not be able to download new code.
Actually, this is my current setup. The only thing is, I use Virtual Box instead of VMWare.

The reason I use this setup is for two reasons.

1. Even though my setup does not change much, except for adding a few LOLBINS now and then to Appguard, plus OS and Edge updates, I still like to test not only security software but persistent malware. I can't do that just running Shadow defender because some won't run at all in shadow mode and some require a reboot.
2. Using s full image, I do not have to reconfigure VBox every time I reboot. It not only comes back, but does so while in shadow mode.

 

[ForgottenSeer 98186]

Ok then. In the setup I suggested, the files would not be encrypted on the host at all. Only the first VM's RAM and after reboot, the entire system would be normal again. Think Shadow Defender and of course Appguards memory guard. Also with the firewall setup, they would not be able to download new code.
Actually, this is my current setup. The only thing is, I use Virtual Box instead of VMWare.

There files encrypted are not the files located inside a running VM. What gets encrypted are the VMWare file types on the ESXi platform. The virtual machines are not attacked. What is attacked is the ESXi platform upon which they are hosted and run.

There is no ESXi security software as it is not running in Windows. To compare to you running VMWare on Windows, what is attacked is Windows host, and then the .

• Vmdk
• Vmx
• Vmxf
• Vmsd
• Vmsn
• Vsqp
• Vmss
• Nvram

files are encrypted.

 

[ForgottenSeer 69673]

There files encrypted are not the files located inside a running VM. What gets encrypted are the VMWare file types on the ESXi platform. The virtual machines are not attacked. What is attacked is the ESXi platform upon which they are hosted and run.

There is no ESXi security software as it is not running in Windows. To compare to you running VMWare on Windows, what is attacked is Windows host, and then the .

• Vmdk
• Vmx
• Vmxf
• Vmsd
• Vmsn
• Vsqp
• Vmss
• Nvram

files are encrypted.

I digress, I do understand it is running in RAM not the OS. I will now leave this thread.

 

[JohhnyJo]

Hi. I have a very basic question. From what I have read, it seems these unpatched servers were directly attacked remotely through the internet via port 427. So unlike other ransomware attacks, the malware did not get into the network through phishing or from an employee accidentally downloading malicious files. Is this correct?

 

[ForgottenSeer 98186]

Hi. I have a very basic question. From what I have read, it seems these unpatched servers were directly attacked remotely through the internet via port 427. So unlike other ransomware attacks, the malware did not get into the network through phishing or from an employee accidentally downloading malicious files. Is this correct?

ESXi is not a desktop enviornment. It is a hypervisor installed directly onto the hardware. So there is no user sitting in front of the box using it for things such as web browsing and email or file download and execution. There is no Windows installed onto ESXi. ESXi is a "server" that hosts VMWare virtual machines. The virtual machines were not exploited, but the hosting ESXi subsystem itself.

ESXi servers were directly connected to the internet on port 427. The attackers sent specially crafted packets that performed a heap-overflow, which is a memory exploit. Afterwards, they sent malicious code that was executed in memory and encrypted VMWare file types on the ESXi system. Curiously, they did not encrypt the virtual machine files, but instead only the files which are needed to make it all work. This is big part of the reason why a recovery script is available and works.