ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware


There have been some new developments in the case of the ESXiArgs ransomware attacks, including related to the encryption method used by the malware, victims, and the vulnerability exploited by the hackers.

After the US Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of an open source tool designed to help some victims of the ESXiArgs ransomware recover their files without paying a ransom, the FBI and CISA released a document providing recovery guidance.

The FBI and CISA are aware of more than 3,800 servers that were compromised around the world in ESXiArgs ransomware attacks. 

Currently, the Shodan and Censys search engines show 1,600-1,800 hacked servers, but there is indication that many impacted organizations have started responding to the attack and cleaning up their systems.

Reuters has conducted an analysis and determined that the victims include Florida’s Supreme Court and universities in the United States and Europe.

An analysis of the file-encrypting malware deployed in the ESXiArgs attacks showed that it has targeted files associated with virtual machines (VMs). However, experts noticed that the ransomware mainly targeted VM configuration files, but did not encrypt the flat files that store data, allowing some users to recover their data.

The tool released by the US government reconstructs the encrypted configuration files based on the unencrypted flat files. 

However, Bleeping Computer reported on Wednesday that some victims have been targeted with a new version of the ESXiArgs malware, one with a different encryption process that involves encrypting more data, which prevents the recovery of files. 

Until now, the ransomware did not encrypt the majority of data in large files, but the new version of the malware encrypts a far more significant amount of data in large files. Up until now, researchers have not found any flaws in the actual encryption, making it impossible to restore encrypted files.

It has been assumed that the ESXiArgs attacks leverage CVE-2021-21974 for initial access. This is a high-severity remote code execution vulnerability in VMware ESXi that VMware patched in February 2021. The issue is related to OpenSLP.

VMware has not confirmed exploitation of CVE-2021-21974, but it did say that there is no evidence of a zero-day vulnerability being leveraged in the attacks.

However, threat intelligence company GreyNoise is not convinced that there is enough evidence that CVE-2021-21974 is being exploited. GreyNoise pointed out that several OpenSLP-related vulnerabilities have been found in ESXi in recent years, and any of them could have been exploited in the ESXiArgs attacks, including CVE-2020-3992 and CVE-2019-5544

Data collected by cloud security company Wiz showed that, as of February 7, 12% of ESXi servers were unpatched against CVE-2021-21974 and vulnerable to attacks. 

The attacks have yet to be attributed to a known threat actor, but the evidence collected so far suggests that the file-encrypting malware is based on Babuk source code that was leaked in 2021. 

“Due to the relatively low ransom demand (2 BTC) and widespread, opportunistic targeting, we assess with moderate confidence this campaign is not tied to ransomware groups known for ‘Big Game Hunting’,” said SOC-as-a-service provider Arctic Wolf. “More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value.”

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities

The post ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware appeared first on SecurityWeek.

Many VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability


Unpatched and unprotected VMware ESXi servers around the world have been targeted over the past few days in a large-scale ransomware attack exploiting a vulnerability patched in 2021.

The attacks, dubbed ESXiArgs, are still being analyzed by the cybersecurity community, but based on the information available to date, it appears that threat actors are exploiting CVE-2021-21974, a high-severity ESXi OpenSLP heap-overflow vulnerability that VMware patched in February 2021. 

“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware said in its advisory at the time.

Proof-of-concept (PoC) code and technical details on CVE-2021-21974 were made public a couple of months after the patches were announced, but there do not appear to be any previous reports of the vulnerability being exploited in the wild. 

In the ransomware attacks that surged over the weekend, threat actors exploited the flaw to hack ESXi servers and deploy a piece of malware that encrypts files associated with virtual machines, including files with the .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem extensions, according to an analysis by French cloud company OVH.

The attacks seem to target vulnerable ESXi servers that are exposed to the internet on port 427. 

OVH noted that the malware shuts down VM processes before initiating its encryption routine, but the function does not seem to work properly. In some cases, files are only partially encrypted, allowing victims to recover them without paying a ransom. There is no evidence of data being stolen in the attacks. 

Researcher Enes Sonmez has found a way to recover some of the files encrypted by the ransomware.

The attacks were initially incorrectly attributed to ransomware named Nevada and Cheerscrypt (Emperor Dragonfly), but they were later linked to a new ransomware operation named ESXiArgs.

More than two thousand ESXi instances appear to be impacted according to Censys. Shodan shows roughly 800 compromised servers. 

CVE-2021-21974 exploited

At the time of writing, many antivirus engines cannot detect the ESXiArgs malware.

Government agencies in the United States and Europe are looking into these attacks and assessing their impact. 

While the malware does not appear to have file exfiltration capabilities, the ransom note dropped in the ESXiArgs attack informs victims that their data will be sold unless a payment is made. Victims are instructed to pay 2 bitcoins ($48,000) to receive the encryption key needed to recover files. 

Ransomware expert Soufiane Tahiri has been keeping track of the Bitcoin wallet addresses used by the cybercriminals.  

While it has become increasingly common for threat actors to target ESXi servers, the exploitation of ESXi vulnerabilities is rare. 

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities

The post Many VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability appeared first on SecurityWeek.

VMware Plugs Critical Code Execution Flaws


Virtualization technology giant VMware on Tuesday shipped its first security bulletin for 2023 with patches for multiple critical-level flaws that expose businesses to remote code execution attacks.

VMware said the security defects affect users of its VMware vRealize Log Insight and could be exploited by an unauthenticated attacker to take full control of a target system.

VMware’s VRealize Log Insight is a log collection and analytics virtual appliance used by administrators to collect, view, manage and analyze syslog data.

The company said the most serious of the four documented flaws carry a CVSS severity score of 9.8 out of 10, adding to the urgency for organizations to apply available patches.

An advisory from the Palo Alto, Calif. company described the flaws — CVE-2022-31706, CVE-2022-31704, CVE-2022-31710 and CVE-2022-31711 –as directory traversal and broken access control issues with dangerous implications. 

“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware warned.

The company also shipped fixes for a separate deserialization vulnerability that exposes vRealize Log Insight users to denial-of-service attacks.  

VMware also patched an information disclosure issue that allowed attackers to remotely collect sensitive session and application information without authentication.   

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: Gaping Authentication Bypass Holes in VMware Workspace One

Related: VMware Confirms Workspace One Exploits in the Wild

The post VMware Plugs Critical Code Execution Flaws appeared first on SecurityWeek.