On February 3rd, 2023, researchers began observing attacks aimed at the VMware ESXi hypervisor with the goal of infecting them with ransomware. The affected systems are ESXi hypervisors version 6.5, 6.7 and 7.0.
These recent attacks, dubbed ESXiArgs, leverage CVE-2021-21974, a vulnerability which impacts the Service Location Protocol (SLP) service and grants an attacker the ability to execute arbitrary code remotely. A patch has been available for CVE-2021-21974 since February 23rd, 2021.
What is CVE-2021-21974?
CVE-2021-21974 is a heap overflow vulnerability in OpenSLP, a network service that listens on TCP and UDP port 427 on default installations of VMware ESXi. A malicious actor that has access to port 427 could exploit the heap overflow issue in the OpenSLP service, leading to remote code execution if the ESXi server is exposed to the internet.
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, 12% of ESXi servers are currently unpatched for CVE-2021-21974 and vulnerable to attacks.
What sort of exploitation has been identified in the wild?
Attacks utilizing this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe. The targets of these attacks are primarily ESXi servers running versions prior to 7.0 U3i, which are accessible through the OpenSLP port 427.
Researchers previously believed the malware, ESXiArgs, is an instance of the Nevada ransomware family, which was first observed in December 2022 and associated with Chinese and Russian threat actors. As of February 8, further analysis could indicate the malware might be a variant of the Babuk ransomware. Babuk source code was leaked in 2021 and utilized in previous ESXi ransomware attacks, such as CheersCrypt and PrideLocker encryptor from the Quantum/Dagon group.
Researchers also published a tool that can assist with decrypting encrypted data, and CISA released a tool to attempt recovery of virtual machines affected by ESXiArgs.
Indicators of compromise
Since February 3rd, 2023, researchers have observed the following IP addresses attempting to exploit CVE-2021-21974:
80.82.77.139
80.82.77.33
185.165.190.17
71.6.199.23
93.174.95.106
185.165.190.34
193.37.255.114
71.6.135.131
89.248.167.131
185.142.236.35
185.142.236.34
185.142.236.36
195.144.21.56
152.89.196.211
104.152.52.55
193.163.125.138
43.130.10.173
104.152.52.0/24Researchers also observed the following behaviors associated with this activity:
| MITRE Techniques | Method |
|---|---|
| T1190 Exploit Public-Facing Application | CVE-2021-21974 |
| T1486 Data Encrypted for Impact | Encryption uses a public key deployed by the malware in /tmp/public.pem. The encryption process specifically targets virtual machines files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, *.vmem) |
| T1486 Data Encrypted for Impact | The malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked. |
| T1565 Stored Data Manipulation | The malware creates an argsfile to store arguments passed to the encryption binary (number of MB to skip, number of MB in encryption block, and file size). |
Which products are affected?
ESXi versions
7.xbefore ESXi70U1c-17325551ESXi versions
6.7.xbefore ESXi670-202102401-SGESXi versions
6.5.xbefore ESXi650-202102101-SG
What actions should security teams take?
Security teams are advised to patch VMware ESXi instances for CVE-2021-21974.
As a workaround, you can also mitigate this issue by disabling the OpenSLP service, using the following commands:
/etc/init.d/slpd stop
esxcli system slp stats get
esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their VMWare ESXi servers.
