The malware has affected thousands of VMware ESXi hypervisors in the last few days.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for victims of the ESXiArgs ransomware variant that affected thousands of organizations worldwide this week.

CISA's ESXiArgs-Recover tool is available for free on GitHub and organizations can use it to attempt the recovery of configuration files on vulnerable VMware ESXi servers that the ransomware variant might have encrypted. Some organizations that used the tool have successfully recovered their encrypted files without having to pay a ransom, the agency noted.

However, any cybersecurity team that plans to use the tool should first make sure they understand how it works before attempting to recover files that EXSIArgs might have encrypted, CISA cautioned. "CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is \[a\] fit," for their environments, it noted.

ESXiArgs is a ransomware variant that France's Computer Emergency Response Team (CERT) first spotted Feb. 3 targeting VMware ESXi hypervisors worldwide. The malware exploits a 2-year old — and long-patched — remote code execution vulnerability (CVE-2021-21974) in Open Service Location Protocol (OpenSLP), an ESXi service for resolving network addresses.

**What is ESXiArgs?**

ESXiArgs has already infected more than 3,000 unpatched servers in the US, Canada, and multiple other countries. Victims have reported receiving a ransom demand of around 2 Bitcoin (or around $22,800 at press time) for the decryption key. Affected organizations have also reported the threat actor behind the campaign warning them to pay up within three days or risk having their sensitive information released publicly.

Security researchers that have analyzed ESXiArgs describe the malware's encryption process as specifically targeting virtual machine files so as to render the system unusable. In an alert earlier this week, Rapid 7 reported the malware was trying to shut down virtual machines by killing a specific process in the virtual machine kernel that handles I/O commands. In some cases, though, the malware was only partially successful in encrypting files and gave victims a chance to recover data, according to Rapid7.

In a Feb. 8 update, Rapid7 said its threat intelligence shows that multiple ransomware groups, in addition to the operator of ESXiArg, are targeting CVE-2021-21974 and other VMware ESXi vulnerabilities.

**Recovery Tool Based on Published Information**

CISA's recovery script is based on the work of two security researchers — Enes Sonmez and Ahmet Aykac — who showed how victims of ESXiArgs could reconstruct virtual machine metadata from disks that the ransomware might have failed to encrypt.

"This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs," CISA said. "While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit."

VMware itself has urged organizations to implement the patch it issued two years ago for the flaw that ESXiArgs is exploiting. As a temporary measure, organizations that have not patched the flaw should disable ESXi's service location protocol (SLP) to mitigate the risk of attack via ESXiArgs, VMware said. Another measure: Disable port 427 (the one SLP uses), where possible, Singapore's SingCERT advised in a notice.

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

By Deeba Ahmed
The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks.
This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has refuted claims that two-year-old vulnerabilities have been exploited in the ongoing ESXiArgs ransomware attacks.

Over the weekend, reports emerged about cybercriminals exploiting a two-year-old vulnerability in virtualization services provider VMware in a ransomware campaign. French CERT (Computer Emergency Response Team) **said** the campaign has been active since February 3rd, 2023.

Moreover, Italy’s ACN (National Cybersecurity Agency) **issued** a warning about a large-scale ransomware campaign. The agency noted that attackers were aiming to target thousands of organizations across Europe and North America.

It was also reported that VMware’s ESXi servers were vulnerable, as these had not been patched against a remotely exploitable flaw discovered in 2021. Attackers compromised the server and added a ransomware variant called ESXiArgs.

For your information, ESXi is VMware’s hypervisor technology, which allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server.

The vulnerability is tracked as **CVE-2021-21974** and assigned a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. A fix for it was released on February 23, 2021, by VMware.

However, on Monday, VMware denied the news and stated they could not find any evidence that threat actors were trying to leverage a zero-day in its software in a worldwide active ransomware campaign.

“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” said Edward Hawkins, the High-Profile Product Incident Response Manager at VMware in a **blog post**.

The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Furthermore, the company recommends disabling the OpenSLP service in ESXi. It is worth noting that the service was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021.

According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, whereas one instance of malicious exploitation of the issue was reported in the Netherlands.

The intrusion involved exploiting the already-susceptible ESXi servers, which were exposed to the internet on the OpenSLP port 427. The victims were asked to pay 2.01 Bitcoin or $45,990 in exchange for the encryption key for file recovery. But so far, there are no reports of data exfiltration.

The alleged ESXiArgs ransomware (Source: DarkFeed)

The U.S. CISA is investigating the ESXiArgs campaign. According to the agency’s spokesperson, they have collaborated with private and public sector partners to analyze the impact of the reported incidents and offer assistance where required.

“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” they added.

1.  **Shipping Software Hit by Ransomware Attack**
2.  **Royal Ransomware Spreading Through Google Ads**
3.  **COVID-19 Tracking App Drops Punisher Ransomware**
4.  **Ransomware Gang Leaks Medibank Data on Dark Web**
5.  **US Charges Iranian Hackers Over Ransomware Attacks**

VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

For the moment, victims can decrypt data without paying a ransom. But Clop is a ransomware variant that has caused havoc on Windows systems, so that's bound to change.

A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.

The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.

**Faulty Encryption**

Researchers from SentinelOne's SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.

SentinelOne's analysis showed Clop's Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows' versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.

Significantly, SentinelOne's researchers found the encryption logic in the Linux variant to be flawed. "The issue boils down to a couple of key differences between the Windows and Linux variants," says Antonis Terefos, threat intelligence researcher at SentinelOne.

The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. "The flaw allows for the simple extraction or discovery of what the RC4 'master key' is for a given sample," he notes, adding that SentinelOne has released a free decryptor for the variant.

The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.

**Other Differences Between Windows & Linux Clop Versions**

SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: "Therefore, there is no need to 'exclude' unwanted locations."

The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.

**Mounting Attacker Interest in Linux Malware**

Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, "we are seeing many more ransomware groups targeting Linux systems."

The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.

Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore. 

"Linux and cloud devices offer a rich pool of potential victims," Terefos says. "In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks."

The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. "We've seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups."

Fresh, Buggy Clop Ransomware Variant Targets Linux Systems

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

**Unpatched Systems Again in the Crosshairs**

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable**.**

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

**Virtualization Is Inherently a Risk**

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

**How to Protect VMware Systems When You Can't Patch**

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS2) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

**LOS ALTOS, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Contrast Security (Contrast), the code security platform built for developers and trusted by security, today released its Cyber Bank Heists report, an annual report that exposes the cybersecurity threats facing the financial sector.

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the report is a warning to global financial institutions (FIs) that security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Financial sector security leaders from around the world - in a series of interviews - revealed specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Some of the most eye-opening results from the report include:

*   60% were victimized by destructive attacks
*   64% saw an increase in application attacks, while 50% experienced attacks against their APIs
*   48% experienced an increase in wire transfer fraud
*   50% have detected campaigns to steal non-public market information
*   54% of the banks were most concerned with the cyber threat posed by Russia
*   72% plan to invest more in application security in 2023

"The increase of online threats, phishing, ransomware attacks, account takeovers and business email compromises impacting the financial sector is growing every day and we can see in real-time the damage this is doing to the longevity of businesses and the impact it's having on our economy," said Derek Booth, Assistant to the Special-Agent-in-Charge, U.S. Secret Service and Head of the Mountain West Cyber Fraud Task Force. "I applaud Tom Kellermann for speaking with some of the most influential people within the sector to determine solutions that can better protect FIs against vulnerabilities in banks and methods of commerce through industry-wide transparency."

"The complexity of securing financial digital systems and the need to develop new ways to guard against sophisticated cyberattacks has increased exponentially in the last year. In response, FIs are fighting to evolve and create more effective prevention, detection and response to these damaging attacks," said Booth.

"Cybersecurity can no longer be viewed as an expense but rather a functionality of conducting business. Trust and confidence in the safety of FIs depend on effectively mitigating and responding to cyberattacks," said Kellermann.

The report provides helpful guidance, and specific defensive countermeasures to defend against growing cybercrime conspiracies and cyberespionage including:

1.  Deploy intelligent runtime protection
2.  Conduct weekly threat hunting
3.  Deploy AppSec for serverless platforms
4.  Defend your APIs
5.  Add a cybersecurity specialist to your board

"The financial sector needs to shift its thinking when it comes to attacks, as geo-political tensions manifest via cyberattacks. Cybercrime cartels are modernizing their criminal conspiracies so as to steal non-market information and destroy the integrity of sensitive data within financial institutions," said Kellermann. "This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of customers. That is why the Cyber Bank Heists report not only highlights these trends but depicts countermeasures that can help institutions defend from within."

Booth will be joining Kellermann for a LinkedIn Live roundtable discussion at 9:00am PST on Tuesday, February 7 and a live webinar at 9:00am PST on Thursday, February 23 to discuss their reactions to the report and the financial security risks impacting organizations this year. Contrast also published a three-part blog series that dives deeper into cyberattack trends, e-fraud, and defensive shifts. 

To download the Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport. FIs can also request a demo of Contrast's financial capabilities by visiting https://www.contrastsecurity.com/solutions/financial-services. 

**About Cyber Bank Heists report:** 

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the annual Cyber Bank Heist report includes findings from interviews conducted with global financial sector leaders focusing on the current state of security threats and the defensive shifts made by cybercriminals. The report provides an analysis of geopolitical tensions, destructive attacks and zero-day exploits from the previous year. It also offers specific defensive countermeasures that should be employed by FIs to protect against growing cybercrime conspiracies and cyberespionage. To learn more about the annual Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport.

**About the Author Tom Kellermann:** 

Tom Kellermann is the Senior Vice President of Cyber Strategy at Contrast Security, Inc. Previously, Tom held the positions of Head of Cybersecurity Strategy for VMware, Inc. and Chief Cybersecurity Officer for Carbon Black, Inc., wherein he authored the "Modern Bank Heist report" for the past five years. In 2020, he was appointed to the Cyber Investigation Advisory Board for the United States Secret Service. On Jan. 19, 2017, Tom was appointed the Wilson Center's Global Fellow for Cybersecurity Policy. Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro, Inc., Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008, Tom was appointed a commissioner on the Center for Strategic & International Studies' (CSIS') Commission on Cyber Security for the 44th President of the United States. In 2003, he co-authored the Book "Electronic Safety and Soundness: Securing Finance in a New Age."

**About Contrast Security (Contrast):**

A world leading code security platform company purposely built for developers to get secure code moving swiftly and trusted by security teams to protect business applications. Developers, security and operations teams quickly secure code across the complete software development life cycle (SDLC) with Contrast to protect against today's targeted application security (AppSec) attacks. Contrast also makes security testing available to all developers for free with CodeSec.

Founded in 2014 by cybersecurity industry veterans, Contrast was established to replace legacy AppSec solutions that cannot protect modern enterprises. With today's pressures to develop business applications at increasingly rapid paces, the Contrast Secure Code Platform defends and protects against full classes of common vulnerabilities and exposures (CVEs). This allows security teams to avoid spending time on focusing false positives and remediate true vulnerabilities faster. Contrast's platform solutions for code assessment, testing, protection, serverless, supply chain, APIs and languages help enterprises achieve true DevSecOps transformation and compliance.

Contrast protects against major cybersecurity attacks for its customer base which represents some of the largest brand-name companies in the world, including BMW, AXA, Zurich, NTT, SOMPO Japan and American Red Cross, as well as numerous other leading global Fortune 500 enterprises. Contrast partners with global organizations such as AWS, Microsoft, IBM Cloud, Guidepoint Security, Trace3, Deloitte and Carahsoft, to seamlessly integrate and achieve the highest level of security for customers.

The growing demand for the world's only platform for code security has landed the company on some of the most prestigious lists including the Inc. 5000 List of America's Fastest Growing Companies and has designated Contrast as one of the fastest growing companies on the Deloitte Technology Fast 500 List.

Financial Institutions Are Suffering From Increasingly Sophisticated Cyberattacks, According to Contrast Security

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide.
"Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware

Endpoint Security / Zero-Day

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide.

"Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)," the virtualization services provider said.

The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.

"In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default," VMware added.

The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a large-scale ransomware campaign dubbed ESXiArgs by likely exploiting a two-year-old bug VMware patched in February 2021.

The vulnerability, tracked as CVE-2021-21974 (CVSS score: 8.8), is an OpenSLP heap-based buffer overflow vulnerability that an unauthenticated threat actor can exploit to gain remote code execution.

The intrusions appear to single out susceptible ESXi servers that are exposed to the internet on OpenSLP port 427, with the victims instructed to pay 2.01 Bitcoin (about $45,990 as of writing) to receive the encryption key needed to recover files. No data exfiltration has been observed to date.

Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023. 18 of the 19 IP addresses are classified as benign, with one sole malicious exploitation recorded from the Netherlands.

"ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur," Rapid7 researcher Caitlin Condon said. "ESXi instances should not be exposed to the internet if at all possible."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

A global ransomware attack on VMware ESXi hypervisors is expanding, according to multiple government agencies and researchers, having already infected thousands of targets.

The attack, first flagged late Feb. 3 by the French Computer Emergency Response Team (CERT-FR), has already compromised more than 3,200 servers in Canada, France, Finland, Germany, and the US so far, according to tracking from Censys.

The avenue of compromise is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

The attack's goal appears to be the installation of a novel ransomware strain dubbed "ESXiArgs" — though the gang behind it is unknown, according to a Feb. 5 notice from French hosting provider OVHcloud, which has customers affected by the attacks.

"We \[previously\] made the assumption the attack was linked to the Nevada ransomware which was a mistake," according to the alert. "No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions."

The operators behind the attack are asking for around 2 Bitcoin ($23,000 at press time) to be delivered within three days of compromise; if the victims don't pay up, the ransom will increase and the gang will release sensitive data, they warned, according to a copy of the ransom note posted by a Dark Web monitor known as DarkFeed. However, cybersecurity firm Rapid7 noted in an analysis that there's no evidence of actual data exfiltration so far.

Instead, the encryption process seems to be the main goal, which is specifically targeting virtual machine files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and \*.vmem), according to the firm's assessment. "In some cases, encryption of files may partially fail, allowing the victim to recover data."

Also, "the malware tries to shut down virtual machines by killing the VMX process to unlock the files," Rapid7 explained; VMX, or Virtual Machine Executable, is a process that runs in the VMkernel that handles I/O commands. "This function is not systematically working as expected, resulting in files remaining locked," the alert added.

To avoid being caught up in the cyberattacks, admins should patch immediately, or, as a workaround, "the SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise," according to the CERT-FR alert.

Also, "users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations,” Singapore's SingCERT advised in a notice over the weekend.

VMware remains a popular target for cybercriminals; just last week, exploit code emerged for other RCE bugs lurking in the virtualization specialist's product portfolio.

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread

Look for recent trends in attacks, strategies, and vulnerabilities to continue gaining steam throughout 2023.

Global risks from population pressures and climate change to political conflicts and industrial supply chain challenges characterized 2022. Cybercriminals used this turmoil to exploit these trending topics, including significant events, public affairs, social causes, and anywhere else opportunity appeared.

2023 will see a continuation of these challenges, especially as bad actors continue to take advantage of the chaos caused by the expected backlash from Russia due to the Ukraine conflict.

The following cyberthreat predictions are based on key observations made by the Zscaler ThreatLabz research team, made up of more than 125 security experts with decades of experience in tracking threat actors, malware reverse engineering, behavior analytics, and data science.

**CaaS Offerings Continue to Rise**

Crime-as-a-service (CaaS) encompasses the full range of cyber threat service offerings, including ransomware-as-a-service, where developers outsource ransomware to their affiliates who execute the attack and share the profits, and phishing-as-a-service, where cybercriminals can buy grammatically perfect email templates, replicas of popular webpages, and more.

As threat actors seek to increase payouts, they will leverage more service model offerings to increase the effectiveness of their attacks and cut out the development time to quickly scale operations. CaaS also lowers the technical barrier to entry, enabling novice cybercriminals to execute sophisticated threats.

**Supply Chains Bigger Targets Than Ever**

Supply chain attacks occur when adversaries compromise partner and supplier ecosystems to reach their ultimate breach target and goals, such as executing a ransomware attack. Compromising a target's weaker suppliers is more accessible and has led to successful upstream attacks, which is why this tactic will likely increase in the future.

**Dwell Time Decreases**

Dwell time is the period between the initial compromise and the final stage of an attack — for example, the median dwell time for threat actors to deploy ransomware is now just five days, according to Mandiant. For most organizations, this is also the length of time an attack can be detected and stopped by defenders before it causes damage.

**Attackers Rebrand**

Malware families, ransomware gangs, and other cybercriminal associations reorganize themselves frequently.

GandCrab rebranded as REvil, the group responsible for the spotlight attacks on JBS and Kaseya. The old groups typically go dark after an incident, then a new group appears months or years later. Researchers eventually discern that it's basically the old group getting back together, with similar techniques and code styles giving them away.

They may rebrand because of new member affiliations to avoid criminal charges and to ensure they can secure cyber insurance payouts.

**Endpoint Protection Won’t Be Enough**

Threat actors will increase the use of tactics to bypass antivirus and other endpoint security solutions. In addition, their attacks will have an increasing focus on core business service technologies, like VMware ESX, for example.

Last fall, researchers observed attackers using new techniques to install persistent backdoors on ESXi hypervisors, a virtualization software and a primary component in the VMware infrastructure software suites for virtual machines.

Because of this, organizations will have an even greater need for defense-in-depth, rather than relying solely on endpoint security to prevent and detect intrusions.

**Leaked Source Code Leads to Forks**

Forked malware, of course, is just another variant that include updates with more sophisticated techniques. Sometimes the source code for a specific malware is leaked online by a researcher, as in the case of Conti ransomware.

Since Conti ransomware was leaked, for example, parts of the source code have been found in other types of ransomware, borrowed or repurposed by different developers.

Updated and forked versions of malware and other threats make it harder for defenders to detect, because there are so many variants using custom techniques to deploy the same attack. We expect such variants will continue to evolve at different rates.

Read more _Partner Perspectives_ with Zscaler.

Cybercrime Shows No Signs of Slowing Down

Despite growing awareness, organizations remain plagued with unpatched vulnerabilities and weaknesses in credential policies.

Weak credential policies and a lax approach to patching were among the most common points of IT security failure for organizations in 2022, while a failure to configure tools properly could leave organizations open to attack.

That's according to a recent study by cybersecurity firm Horizon3.ai, based on findings from approximately 7,000 penetration tests that evaluated approximately 1 million assets.

Of the Top 10 vulnerabilities Horizon3.ai detected in 2022, the use of weak or reused credentials topped the list, followed by weak or default credential checks in protocols (SSH and FTP) and threat actors using Dark Web credential dumps from Windows or Linux hosts.

Exploitation of critical vulnerabilities on CISA's list of Top 15 Routinely Exploited Vulnerabilities list, as well as the exploitation of critical VMware vulnerabilities, rounded out the top five.

Corey Sinclair, cyber-threat intelligence analyst for Horizon3.ai, explains that professionals are challenged by balancing the three factors of security, functionality, and usability. The requirements of the end user, usability and functionality, are often at odds with or contradictory to the best security practices.

"To ease our own burden, we as individuals tend to shy away from the difficult, and move to what's easy and convenient," he says. "This means having fewer or easier credential requirements."

Individuals thus tend to reuse credentials when they know they should have unique passwords for everything, and organizations fail to enforce stronger credential requirements or invest in a companywide password solution.

Sinclair adds that sometimes, companies simply don't know to go back and check to see if default credentials were changed when a new technology is brought online.

Security teams should be on notice: The successful combo of using stolen credentials and social engineering to breach networks is increasing the demand for infostealers on the Dark Web, according to Accenture's Cyber Threat Intelligence team (ACTI), which recently surveyed the infostealer malware landscape over 2022.

That report also warned that malicious actors are combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.

**Patching & Misconfigurations Are a Pain Point**

The survey also found that known critical vulnerabilities were regularly exploited, while popular DevOps tools and resources, including Docker and Kubernetes, were riddled with misconfigurations and vulnerabilities.

"Patching and misconfigurations essentially come down to scale and prioritization," Sinclair says. "Depending on the size and infrastructure of a company's IT department, it will determine how quickly and effectively a company can find what needs to be patched or configured."

Additionally, not all organizations know what to patch, and how to prioritize what needs to be patched first.

"With the plethora of CVEs and vulnerabilities being released daily, most companies find it hard to keep up with, let alone fix what matters, before threat actors exploit them," he adds.

From his perspective, companies must take a different approach to security, in which they view their environments through the eyes of the attacker.

"They need to view their environment and prioritize \[fixes\] based on what is actually reachable, vulnerable, and exploitable," he says. "This mindset shift allows the company to stay one step ahead of the adversary, while ensuring they have a constant pulse on their environment's security posture."

Organizations without the time or talent to patch or review for misconfigurations may find patching-as-a-service (PaaS) a way to improve security, but a successful program will require accurate and robust asset management tools so the vendor knows what's live in the client's environment, he adds.

**Adoption of Multifactor Technologies in 2023**

Sinclair points out that while it is "way too early" to tell what 2023 will bring on the cybersecurity defense front, he believes there are going to be more and more companies adopting new multifactor technologies to aid in the fight against credential reuse and weak credentials.

"By adopting these technologies, it will push cyber-threat actors to find other vulnerabilities and weaknesses to exploit," he says. "As the cybersecurity world is always shifting and evolving, staying one step ahead of malicious cyber-threat actors is paramount."

Patching & Passwords Lead the Problem Pack for Cyber-Teams

Categories: Exploits and vulnerabilities
Categories: News
Categories: Ransomware
Tags: VMware

Tags:  ESXi

Tags:  Nevada

Tags:  ransomware

Tags:  Linux

Tags:  CVE-2021-21974

Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines.



(Read more...)




The post Two year old vulnerability used in ransomware attack against VMware ESXi  appeared first on Malwarebytes Labs.

On Friday and over the weekend, several Computer Emergency Response Teams (CERTs) sounded the alarm about an ongoing large scale ransomware attack on VMware ESXi virtual machines.

With some discrepancies between Shodan queries from various researchers, most agree that an estimated 500 entities were affected by the attack over the weekend.

**Old vulnerability**

The suspected vulnerability, which is listed as CVE-2021-21974 was patched by VMware almost two years ago. The vulnerability can be found in OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) and is a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. Heap memory is used by all the parts of an application as opposed to stack memory which is used by only one thread of execution.

**Mitigation**

The products that are vulnerable for CVE-2021-21974 are VMware ESXi, and VMware Cloud Foundation (Cloud Foundation).To remediate CVE-2021-21974 apply the updates listed under 3b in the 'Fixed Version' column of the 'Response Matrix' to affected deployments.

The fixed versions are:

*   For ESXi 7.0: ESXi70U1c-17325551 or later
*   For ESXi 6.7: ESXi670-202102401-SG or later
*   For ESXi 6.5: ESXi650-202102101-SG or later
*   For Cloud Foundation (ESXi) 4.x: 4.2 or later
*   For Cloud Foundation (ESXi) 3.x: please refer to VMware KB82705

A recommended workaround if you are not using the OpenSLP service in ESXi is to disable the SLP service on VMware ESXi.

**Ransomware**

Even though Proof-of-Concept (PoC) instructions were posted only a few months after the vulnerability was patched we haven’t seen any reports of the exploit being used in the wild before February 3, 2023. The attack was aimed at vulnerable ESXi servers that are exposed to the internet on port 427. The threat actor runs an encryption process which is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”\*.vmem”). Although some researchers have found instances where only the configuration files were encrypted. More on that later.

The ransomware group that reportedly launched this large-scale attack dubbed ESXiArgs against vulnerable ESXi is believed to be the new Nevada ransomware group.

Recently, it became known that the Royal ransomware group had added the ability to target Linux machines to their arsenal. With the transition of organizations to Virtual Machines (VMs) a Linux based ransomware version allows them to target the very popular ESXi virtual machines.

**Decryptable**

Security researcher Matthieu Garin posted on social media that the attackers only encrypt the config files, and not the vmdk disks where the data is stored. In such cases, the Enes.dev website may be of help to you. The guide explains how admins can rebuild their virtual machines and recover their data for free.

According to research from BleepingComputer, the encryption routine itself is secure, which means there are no cryptography bugs that allow free decryption.

**Disclaimers**

Nevada may turn out to be the Linux variant of a well-known ransomware group.

While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.

There may be special circumstances at work in the cases where only the config files were encrypted. For example the ransomware tries to stop the VM so it can encrypt the file, but this may not always be successful in which cases the damage is limited to the config files.

When more details become available we will keep you updated here.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#vmware