Ransomware Attack Targets VMware ESXi Servers Worldwide

What Happened?

On February 3, 2023, attackers were actively targeting VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware.

ESXiArgs is a ransomware attack that targets VMware ESXi servers globally. It uses an exploit to gain access to the servers and then encrypts the virtual machines hosted on them. The attackers then demand a ransom payment for the decryption of the data. The attack appears to be carried out by a well-funded and organized group and is highly effective, as ESXi servers are often used in critical infrastructure and can be difficult to secure.

Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.

CVE-2021-21974 affects the following systems:

• ESXi versions 7.x prior to ESXi70U1c-17325551
• ESXi versions 6.7.x prior to ESXi670-202102401-SG
• ESXi versions 6.5.x prior to ESXi650-202102101-SG

On February 3, 2023, BleepingComputer posted an extensive blog on this matter, titled “Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide”.

That article reports on a widespread ransomware attack targeting VMware ESXi servers globally, and how the attack uses a new strain of ransomware named ESXiargs, which is capable of encrypting servers and demanding a ransom payment in return for the decryption key. The article provides technical details on ESXiArgs and stresses the importance of keeping software up-to-date and implementing strong security measures to prevent such attacks.

Several affected VMware customers have been posting on their experiences in this BleepingComputer forum thread.On February 4, 2023, Darkfeed, a ransomware monitoring service provider platform posted on Twitter that “🌐 A quick search in @shodanhq shows that the spread is extensive, a total of 327, but we are sure there is more 🧐The most targeted system is from France 🇫🇷 on OVHcloud and Hetzner hosting. But they have hit other hosting and cloud companies around the world 🌎”

OVHcloud had a detailed post on the issue on February 3, 2023, mentioning that a wave of cyberattacks is currently aimed at ESXi servers and although no OVHcloud managed services are affected by this attack, many customers use this operating system on their own servers. They then provide some recommendations on how to address the issue, including that OVHcloud Bare Metal customers using ESXi should take the following emergency measures:

1. Disable the OpenSLP service on the server or limit access to only trusted IP addresses (https://kb.vmware.com/s/article/76372).
2. Upgrade your ESXi to the latest security patch.
3. Ensure your data is backed up (preferably on immutable storage).
4. Only activate necessary services and use ACL to filter access to trusted IP addresses only.
5. Monitor your system for any unusual activity.

They also note that their clients using VMware Private Cloud are not affected as the SSL gateway, by design, blocks external access to the OpenSLP port (427) and protects against this type of attack.

Mitigation and Remediation

In cases where patching CVE-2021-21974 will take time, note that VMware also published workarounds to help with mitigating the risk of exploitation.  As mentioned in the OVHcloud recommendations, the corresponding KB (76372) can be found here:  https://kb.vmware.com/s/article/76372

Note that KB82705 also documents the steps to consume ESXi hot patch asynchronously on top of the latest VMware Cloud Foundation (VCF) supported ESXi build. The link to VMware’s full advisory and downstream recommendations in response to the CVE can be found here: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Armis is Here to Help

Current Armis customers can run the following ASQs to determine if they have systems susceptible to this vulnerability:

in:devices operatingSystem:(version:(7.%,6.7,6.5) name:"VMware ESXi")

In addition, Armis customers can use this ASQ to determine if the affected devices are listening on port 443 or 427:

in:ipConnections timeFrame:"7 Days" endpointB:(role:Server device:(operatingSystem:(name:"VMware ESXi" version:(7.%,6.7,6.5)))) serverPort:443,427

If you are not an Armis customer, we can still help. We offer a free Quick Asset Visibility Assessment using the Armis platform to help you find and identify assets affected by ESXiArgs ransomware. Our platform works with your existing infrastructure to ensure you have a complete, real-time asset inventory you can rely on.

Given the growing number of cyber attacks, in addition to the ongoing threat campaigns from cybergangs and other bad actors, the ability to monitor and secure every asset is critical to protecting ongoing operations. Armis can provide the unified visibility and security you need to stay protected.

Let an Armis expert help you get started in as little as 30 minutes. Get an Armis Quick Asset Visibility Assessment