A ransomware attack - VMware ESXi servers

Description:

French Computer Emergency Response Team (CERT-FR) and Italy’s national cybersecurity authority (ACN) are all issuing warnings about how attackers are actively focusing on VMware ESXi servers. It was at risk from a two-year-old unpatched remote code execution vulnerability tracked as CVE-2021-21974 through OpenSLP port (427). The attacker’s ultimate objective was to install ransomware in these systems. 

VMWare ESXi formerly known as ESX, developed by VMWare is an enterprise-level, type-1 hypervisor developed for deploying and serving virtual computers. A hypervisor is an operating system that enables the productive operation of several virtual machines, virtual appliances, and containers on the same physical server. VMware ESXi servers were left vulnerable and unpatched against a remotely exploitable bug from 2021. A heap overflow issue in the OpenSLP service of VMWare ESXi caused the vulnerability which enables remote code execution attacks on vulnerable computers by unauthenticated attackers. Heap overflow occurs when the system tries to process excessive data which exceeds the designated memory allocation for the process. Attackers are then able to seize control of the compromised system, run arbitrary code, and maybe steal or add malware like ransomware or access sensitive data. The ransomware targets files with the.vmxf,.vmx,.vmdk,.vmsd, and.nvram extension on affected ESXi systems and creates a.args file with metadata for each encrypted file.

The Service Location Protocol(SLP) is a service discovery protocol that allows connecting devices to identify services available within the local area network by querying a directory server. OpenSLP is an open-source implementation of the Service Location Protocol. At least 120 VMware ESXi servers worldwide have already been compromised in this ransomware campaign, according to a Shodan search.

Affected Versions:

Mainly version 6. x and ESXi hypervisor version before 6.7\

• ESXi versions 7. x prior to ESXi70U1c-17325551
• ESXi versions 6.7.x prior to ESXi670-202102401-SG
• ESXi versions 6.5.x prior to ESXi650-202102101-SG

CVE_IDs: 

• CVE-2021-21974

Source:

• https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ 
• https://angrysysops.com/2023/02/03/someone-is-encrypting-an-unpatched-vmware-esxi-6-x-servers-that-are-open-to-the-internet/ 

Impact:

• Attackers can run arbitrary code and maybe steal or access sensitive data. 
• The ultimate goal of this attack is to install ransomware on these systems.

Recommendation:

• Admins have to deactivate the susceptible Service Location Protocol (SLP) service on ESXi hypervisors that have not yet been patched.
• Apply the patch as soon as possible.