A Breakdown of the Prolific 'ESXiArgs' Ransomware Attacks
Overt Operator
February 06, 2023
Photo: Wikimedia Commons
A global and widespread ransomware attack is exploiting a previously patched CVE targeting ESXi hypervisors via CVE-2021-21974. According to a Censys search, approximately 3,200 VMware ESXi servers worldwide have been compromised in this ransomware campaign.
This exploit relies on a now patched 2-year-old vulnerability in ESXi’s OpenSLP service - usually running on port 427.
In the ransomware attacks that occurred over the weekend, threat actors exploited this flaw to deploy a piece of malware that encrypts files associated with virtual machines, including files with the .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem extensions.
CVE-2021-21974’s specific details are noted as:
OpenSLP, as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG), has a heap-overflow vulnerability.
A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution (RCE).
In layman's terms, the exploit essentially allows an unauthenticated attacker to execute arbitrary code remotely.
That means an attacker could run simple commands that would escalate their privileges and allow unfettered access to a target system. Since the ESXi servers sit at a higher level within a network stack, this gives them control and trust relationships among many other network nodes.
In many cases, running a virtual server or virtual network is a considerable benefit. Cost, space, and general maintenance are all significantly reduced, and since they are virtual, you can also save and back up snapshots more easily. So, if the network crashes, it's relatively easy to bring it back online by using the backup. Oftentimes, a company will lose approximately 24 hours of data, but 24 hours is more acceptable than days or weeks.
In the case of Ransomware, the data itself becomes this issue. A group could lock down all the data on a particular network and hold the data, not the network, for ransom. Companies that deal with PII Multiple proofs of concept (PoC) exploits have been available on GitHub since May 2021 and can easily be downloaded for testing and use on the internet. An attacker can use this code to modify the exploit to automate and repurpose it for scaled and targeted ransomware attacks.
How concerned should organizations be?
The answer depends on several factors but usually comes down to money. If it is cheaper for a company to pay a ransom than to implement protective measures, or to pay for cyber insurance, then most companies will opt to pay the ransom.
From the perspective of a security researcher, organizations should be very concerned about this exploit. There is no foolproof method to protect your network systems or data, but companies that are not putting security practices at the forefront of their business will eventually be exploited.
It's a matter of when not if.
What potential does this attack have to cause damage?
This also depends. Some companies are so large, that a ransomware attack may not have the lasting financial impact that threat actors may expect, but still, a company is made up of individuals, who are typically the ones that feel the fallout of data breaches the most.
Most data stolen through ransomware campaigns end up seeing the light of day. Breach data, whether paid for or not, is distributed on digital marketplaces or shared for free. Many of these breach files contain personally identifiable employee information (PII) that could be used for follow-on attacks.
Think of it almost like a TV spin-off. The main show is a large company, and the employees are part of the supporting cast that gets their own show.
Follow-on attacks take many forms, but the one you'll see the most today is sim-swapping.