Thousands unpatched VMware ESXi servers hit by Ransomware

[LASER_oneXM]

Content source

https://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/

Late last week, unknown attackers launched a widespread ransomware attack hitting VMware ESXi hypervisors via CVE-2021-21974, an easily exploitable vulnerability that allows them
to run exploit code remotely, without prior authentication.

Patches for CVE-2021-21974, a vulnerability in ESXi’s OpenSLP service, have been provided by VMware two years ago, and this attack has revealed just how many servers are out there are still unpatched, with the SLP service still running and the OpenSLP port (427) still exposed.

The attack is ongoing​

The French CERT (CERT-FR) and French cloud computing company OVH were the first to sound the alarm on Friday evening, positing that the attackers are exploiting CVE-2021-21974 and urging owners of unpatched and still unaffected servers to quickly patch or disable the SLP service.

On Sunday, the computer security incident response team of Italy’s National Cybersecurity Agency (ACN) echoed the warning.

 

[Ink]

Interesting details from another source.

At the time of writing, many antivirus engines cannot detect the ESXiArgs malware.

Government agencies in the United States and Europe are looking into these attacks and assessing their impact.

While the malware does not appear to have file exfiltration capabilities, the ransom note dropped in the ESXiArgs attack informs victims that their data will be sold unless a payment is made. Victims are instructed to pay 2 bitcoins ($48,000) to receive the encryption key needed to recover files.

Ransomware expert Soufiane Tahiri has been keeping track of the Bitcoin wallet addresses used by the cybercriminals.

Source: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability

 

[Gandalf_The_Grey]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks.

Starting last Friday, exposed VMware ESXi servers were targeted in a widespread ESXiArgs ransomware attack.

Since then, the attacks encrypted 2,800 servers according to a list of bitcoin addresses collected by CISA technical advisor Jack Cable.

While many devices were encrypted, the campaign was largely unsuccessful as the threat actors failed to encrypt flat files, where the data for virtual disks are stored.

This mistake allowed Enes Sonmez & Ahmet Aykac of the YoreGroup Tech Team to devise a method to rebuild virtual machines from unencrypted flat files.

This method has helped numerous people recover their servers, but the process has been complicated for some, with many people asking for help in our ESXiArgs support topic.

CISA releases recovery script for ESXiArgs ransomware victims

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks.

www.bleepingcomputer.com

 

[Shadowra]

Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations worldwide.

Reports emerged over the weekend that VMware ESXi servers left vulnerable and unpatched against a remotely exploitable bug from 2021 were compromised and scrambled by a ransomware variant dubbed “ESXiArgs.” ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server.

France’s computer emergency response team CERT-FR reports that the cybercriminals have been targeting VMware ESXi servers since February 3, while Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.


U.S. cybersecurity officials have also confirmed they are investigating the ESXiArgs campaign. “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a CISA spokesperson told TechCrunch. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”

Italian cybersecurity officials warned that the ESXi flaw could be exploited by unauthenticated threat actors in low-complexity attacks, which don’t rely on using employee passwords or secrets, according to the Italian ANSA news agency. The ransomware campaign is already causing “significant” damage due to the number of unpatched machines, local press reported.

More than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign so far, according to a Censys search (via Bleeping Computer). France is the most affected country, followed by the U.S., Germany, Canada and the United Kingdom.

It’s not clear who is behind the ransomware campaign. French cloud computing provider OVHCloud backtracked on its initial findings suggesting a link to the Nevada ransomware variant.


A copy of the alleged ransom note, shared by threat intelligence provider DarkFeed, shows that the hackers behind the attack have adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address.

Source[/quote]

 

[Gandalf_The_Grey]

New ESXiArgs ransomware version prevents VMware ESXi recovery

New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines.

Last Friday, a massive and widespread automated ransomware attack encrypted over 3,000 Internet-exposed VMware ESXi servers using a new ESXiArgs ransomware.

Preliminary reports indicated that the devices were breached using old VMware SLP vulnerabilities. However, some victims have stated that SLP was disabled on their devices and were still breached and encrypted.

With SLP disabled, it becomes even more confusing as to how this server was breached.

BleepingComputer still recommends attempting to recover encrypted ESXi servers using CISA's recovery script.

However, it will likely no longer work if you were infected in the second wave of attacks using the new encryption routine.

If you have any questions or need support on the ESXiArgs ransomware, we have a dedicated support topic in our forums.

New ESXiArgs ransomware version prevents VMware ESXi recovery

New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines.

www.bleepingcomputer.com

 

[upnorth]

ESXiArgs: Questions & Answers | VMware

Questions and answers regarding the ESXiArgs ransomware attacks.

core.vmware.com

 

[ForgottenSeer 98186]

VMWare released a patch for CVE-2021-21974 in 2021:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

This vulnerability is caused by ESXi owners not updating\patching their software.

This incident is perfect proof that companies and governments do not update software, even when proven critical vulnerabilities exist (not just PoC).

 

[ForgottenSeer 98186]

CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.

CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.

Organizations can access the recovery script here: GitHub - cisagov/ESXiArgs-Recover: A tool to recover from ESXiArgs ransomware

 

[upnorth]

Quote: "​

How to scan ESXi systems using THOR​

More and more often, adversaries target and exploit Internet-facing appliances or devices with exotic or restricted operating systems. Users ask if there is a way to run a compromise assessment scan on these systems with the YARA rules used in THOR.

Following up on the exploitation of Internet-facing ESXi servers, this blog post describes ways to remotely scan remote systems like an ESXi using THOR or the free THOR Lite YARA and IOC scanners. This method can also be be used to scan other devices usually unsupported by real-time Antivirus engines or EDRs, e.g. Citrix Netscaler gateways.
So, we plan to mount the remote file system using SSH (SSHFS) and then we instruct THOR to scan the mounted remote filesystem.

Prerequisites​

• We need to reach port 22/tcp on the target system
• A source system with support for sshfs (on Debian use: sudo apt install sshfs to install it)
• A version of THOR Lite or the full THOR with a lab license

Mounting the Remote File System via SSH​

First we create a new folder and mount the remote file system to that local folder:

sudo mkdir -p /mnt/esx
sudo sshfs -o reconnect root@esx1.company:/ /mnt/esx

The -o reconnect option makes sure to reconnect the

Scanning the Mount Point with THOR Lite​

With THOR Lite we can now run a so-called “Filescan” on the mounted drive.

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/esx

The following scan is much more intense as it scans every single file regardless of its extension or type. Scanning every file usually leads to much longer scan times and higher network load. (be careful when using the --intense flag)

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/esx --intense

Scanning the Mount Point with THOR​

With a full featured THOR and a so-called Lab license we can use the –virtual-map flag to virtually map the folder /mnt/esx to / internally. This means that signatures and filename patterns that make use of the virtual and not the actual path. We can also define a hostname that will appear in the log file using the -j flag. Otherwise the log would always contain the hostname of the scanning workstation.

sudo ./thor-linux-64 -a FileScan --alldrives -p /mnt/esx --virtual-map /mnt/esx:/ -j esx1

Using the full version, we would use a different flag combination for a more intense scan of the remote system. The full version with a lab license allows us to use the --lab flag.

sudo ./thor-linux-64 --lab -p /mnt/esx --virtual-map /mnt/esx:/ -j esx1

The --lab flag automatically activates the intense scan mode that checks every file, multi-threaded scanning, deactivates resource control and some other flags that can be useful in a lab scanning scenario.

Example Match​

The following screenshot shows an example match on a malware found on systems affected by the ESXiArgs attacks. The rules and IOCs for this attack are available in THOR and the free THOR Lite version.

Other Notes​

• Test scans on our internal ESX/ESXi systems took between 8 and 30 minutes. (scans via VPN)
• A network disconnect only pauses the scan, a forced umount crashes the scanner.
• We tested network disconnects of 1 and 5 minutes. After a reconnect THOR just resumes the scan where it left off.

Advantages of the full THOR version​

Apart from the usual advantages of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:

• Use multiple instances on a single source system to scan many different remote systems at the same time
• Use virtual drive mapping to allow for additional detection opportunities
• Set a custom host name that appears in the log files (helpful when you scan many different targets) "

Source:

How to scan ESXi systems using THOR - Nextron Systems

www.nextron-systems.com

 

[upnorth]

That didn't take long.

A week after the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released a recovery script to help victims of the widespread ESXiArgs ransomware attacks recover infected systems, an updated variant of the malware aimed at vulnerable VMware ESXi virtual machines can't be remediated with the government agencies' code, according to Malwarebytes.

The variant can't be decrypted using the script released to GitHub by CISA because, unlike earlier versions, it doesn't leave large sections of data unencrypted, according to Pieter Arntz, a malware analyst at Malwarebytes.

ESXiArgs ransomware fights back to defeat US recovery script

Want a clue to what you’re dealing with? Check the ransom note

www.theregister.com

ESXiArgs: Questions & Answers | VMware

Questions and answers regarding the ESXiArgs ransomware attacks.

core.vmware.com