Last updated at Wed, 08 Feb 2023 19:35:43 GMT
On February 3, 2023, French web hosting provider OVH and French CERT issued warnings about a ransomware campaign that was targeting VMware ESXi servers worldwide with a new ransomware strain dubbed “ESXiArgs.” The campaign appears to be leveraging CVE-2021-21974, a nearly two-year-old heap overflow vulnerability in the OpenSLP service ESXi runs. The ransomware operators are using opportunistic “spray and pray” tactics and have compromised hundreds of ESXi servers in the past few days, apparently including servers managed by hosting companies. ESXi servers exposed to the public internet are at particular risk.
Given the age of the vulnerability, it is likely that many organizations have already patched their ESXi servers. However, since patching ESXi can be challenging and typically requires downtime, some organizations may not have updated to a fixed version.
Update: On February 7, 2023, CISA released a recovery script for organizations impacted by ESXiArgs which "works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware."
Affected products
The following ESXi versions are vulnerable to CVE-2021-21974, per VMware’s original advisory:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
Security news outlets have noted that earlier builds of ESXi appear to have also been compromised in some cases. It is possible that attackers may be leveraging additional vulnerabilities or attack vectors. We will update this blog with new information as it becomes available.
February 8, 2023 Update: Based on Project Sonar telemetry and the affected build ids, Rapid7 believes, with high confidence, that there are at least 18,581 vulnerable internet facing ESXi servers at the time of this writing.
Attacker behavior
OVH has observed the following as of February 3, 2023 (lightly edited for English translation):
- The compromise vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed [as of February 3]). The logs actually show the user “dcui” as involved in the compromise process.
- Encryption is using a public key deployed by the malware in /tmp/public.pem
- The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
- The malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.
- The malware creates “argsfile” to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
- No data exfiltration occurred.
- In some cases, encryption of files may partially fail, allowing the victim to recover data.
February 8, 2023 Update: According to Rapid7 threat intelligence, this vulnerability and other ESXi vulnerabilities are actively being exploited by ransomware groups other than ESXiArgs.
Mitigation guidance
ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur. ESXi instances should not be exposed to the internet if at all possible. Administrators should also disable the OpenSLP service if it is not being used.
Rapid7 customers
A vulnerability check for CVE-2021-21974 has been available to InsightVM and Nexpose customers since February 2021.
Updates
February 8, 2023 15:35 UTC
- Added information on the CISA recovery script released on February 7, 2023
February 8, 2023 19:32 UTC
- Added Project Sonar telemetry information
- Added information regarding exploitation by groups other than ESXiArgs