Ransomware attacks targeting VMware ESXi servers: everything you need to know

Recent attacks leverage CVE-2021-21974 to install ransomware on VMWare ESXi servers. Security teams are advised to patch and stay vigilant for indicators of compromise.

2 minutes read

On February 3rd, 2023, researchers began observing attacks aimed at the VMware ESXi hypervisor with the goal of infecting them with ransomware. The affected systems are ESXi hypervisors version 6.5, 6.7 and 7.0. 

These recent attacks, dubbed ESXiArgs, leverage CVE-2021-21974, a vulnerability which impacts the Service Location Protocol (SLP) service and grants an attacker the ability to execute arbitrary code remotely. A patch has been available for CVE-2021-21974 since February 23rd, 2021. 

What is CVE-2021-21974? 

CVE-2021-21974 is a heap overflow vulnerability in OpenSLP, a network service that listens on TCP and UDP port 427 on default installations of VMware ESXi. A malicious actor that has access to port 427 could exploit the heap overflow issue in the OpenSLP service, leading to remote code execution if the ESXi server is exposed to the internet. 

Wiz Research data: what’s the risk to cloud environments?

According to Wiz data, 12% of ESXi servers are currently unpatched for CVE-2021-21974 and vulnerable to attacks. 

What sort of exploitation has been identified in the wild?  

Attacks utilizing this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe. The targets of these attacks are primarily ESXi servers running versions prior to 7.0 U3i, which are accessible through the OpenSLP port 427. 

Researchers previously believed the malware, ESXiArgs, is an instance of the Nevada ransomware family, which was first observed in December 2022 and associated with Chinese and Russian threat actors. As of February 8, further analysis could indicate the malware might be a variant of the Babuk ransomware. Babuk source code was leaked in 2021 and utilized in previous ESXi ransomware attacks, such as CheersCrypt and PrideLocker encryptor from the Quantum/Dagon group.

Researchers also published a tool that can assist with decrypting encrypted data, and CISA released a tool to attempt recovery of virtual machines affected by ESXiArgs.

Indicators of compromise 

Since February 3rd, 2023, researchers have observed the following IP addresses attempting to exploit CVE-2021-21974:  

80.82.77.139 
80.82.77.33 
185.165.190.17 
71.6.199.23 
93.174.95.106 
185.165.190.34 
193.37.255.114 
71.6.135.131 
89.248.167.131 
185.142.236.35 
185.142.236.34 
185.142.236.36 
195.144.21.56 
152.89.196.211 
104.152.52.55 
193.163.125.138 
43.130.10.173 
104.152.52.0/24

Researchers also observed the following behaviors associated with this activity:  

MITRE TechniquesMethod
T1190 Exploit Public-Facing ApplicationCVE-2021-21974
T1486 Data Encrypted for ImpactEncryption uses a public key deployed by the malware in /tmp/public.pem. The encryption process specifically targets virtual machines files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, *.vmem)
T1486 Data Encrypted for ImpactThe malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.
T1565 Stored Data ManipulationThe malware creates an argsfile to store arguments passed to the encryption binary (number of MB to skip, number of MB in encryption block, and file size).

Which products are affected? 

  • ESXi versions 7.x before ESXi70U1c-17325551 

  • ESXi versions 6.7.x before ESXi670-202102401-SG 

  • ESXi versions 6.5.x before ESXi650-202102101-SG  

What actions should security teams take? 

Security teams are advised to patch VMware ESXi instances for CVE-2021-21974. 

As a workaround, you can also mitigate this issue by disabling the OpenSLP service, using the following commands: 

/etc/init.d/slpd stop 
esxcli system slp stats get 
esxcli network firewall ruleset set -r CIMSLP -e 0 
chkconfig slpd off 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their VMWare ESXi servers. 

References 

Continue reading

The State of the Cloud 2023

Wiz's State of the Cloud 2023 report provides analysis of trends in cloud usage such as multi-cloud, use of managed services and more. In addition, the report highlights notable cloud risks based on insights from 30% of Fortune 100 enterprise cloud environments

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management