ESXiArgs Ransomware Attack Event Analysis

ESXiArgs Ransomware Attack Event Analysis

fevereiro 23, 2023 | NSFOCUS

The French Computer Emergency Response Team (CERT-FR) warned that [1] an attacker exploited a two-year-old remote code execution vulnerability in VMware ESXi server to deploy new ESXiArgs ransomware. The security vulnerability number is CVE-2021-21974 [2] and it is caused by a heap overflow vulnerability in the OpenSLP service. Unauthenticated attackers can use this vulnerability to launch attacks very easily.

Vulnerability (CVE-2021-21974) Information

If an attacker is on the same network segment as ESXi and can access port 427, he or she can trigger a heap overflow vulnerability in the OpenSLP service by sending a constructed malicious request packet to port 427, ultimately causing remote code execution. In February 2021, VMware discovered the relevant program vulnerabilities and released patches. In addition, the PoC of this vulnerability has already been disclosed. The recent attack is targeted at unpatched products. The vulnerability CVE-2021-21974 affects the following systems:

  • ESXi version 7.x before ESXi70U1c-17325551
  • ESXi version 6.7.x before ESXi670-20210401-SG
  • ESXi version 6.5.x before ESXi650-202102101-SG

According to the network mapping engine[3], the currently mainly affected versions are 6.7.0, 6.5.0, 6.0.0, and 5.5.0.

Figure 1 Software Version Distribution of Extorted Assets

Asset Exposure Analysis

The data shows that ESXi’s global exposure assets are over 84,000 as of this writing. They are mainly distributed in France, the United States, Belgium, China, Germany, etc.

Figure 2 Global Distribution of ESXi Asset Exposure Countries

The attack is mainly against the OpenSLP port (427) of ESXi servers before 7.0 U3i. There are more than 2,200 assets exposed at 427 ports, as shown in Figure 3. On February 5, 2023, there were 700 assets exposed at 427 ports only. The number is still increasing. This is not all of the data as some attacked servers with port 427 opened are not in this list. The data of this port probably is being mapped. For such vulnerabilities, we can manage the attack surface in advance. Not only ESXi but also other critical infrastructure, such as government website services, cloud-native service components, 5G network elements, industrial Internet, Internet of Vehicles, etc., should be well managed for risk mitigation as soon as possible. External attack surface management is essential. Gartner listed External Attack Surface Management (EASM) as a security and risk management trend in 2022.  It continuously maps the exposure of all kinds of assets and services on the Internet and analyzes the attack surface it faces, especially to find and mitigate potential risks before attackers use it.

Figure 3 Distribution of Port 427 Exposure Countries

Extortion Status

The blackmailed asset page will display the bitcoin address for the ransom payment, which is about two bitcoins.

Figure 4 Ransom Page of Extorted Assets

The number of blackmailed assets queried in different periods is shown in Table 1. 

Table 1 Number of Extorted Assets in Different Time

Figure 5 Number of Extorted Assets

According to the query results, the top extorted assets are mainly distributed in France, the United States, Germany, and Canada. Although the number of ESXi servers deployed in France, the United States, and Germany is different not quite much, the number of servers blackmailed in France is twice that of other countries. This may be related to the difference between countries in the operations of organizations and the regulations of governments.

Figure 6 Distribution of Extorted Assets in Countries

When surveying and mapping the infected ESXi server, it was found that there are still more than 600 servers with open port 427 at risk of being attacked.

Table 2 Status of Port 427 of Extorted Assets

Protection Solution

  • Disable the OpenSLP service, or install patches in time to upgrade to the latest version.
  • Examine if there is a backdoor file. If you do find one, delete it immediately.
  • For encrypted virtual machines, restore the file * flat.vmdk to restore the virtual machine image[4].
  • Deploy protection software for hosts and servers. Take vulnerability scanning and take precautions in place.  
  • Manage the external attack surface and perceive such risks in advance.

NSFOCUS Security Solution

NSFOCUS security solution provides a comprehensive security system to protect against ransomware attacks, including vulnerability scanning, abnormal behavior monitoring, intrusion threat detection, anti-virus and threat intelligence and covering the entire period of an attack – before, during and after the event.

Moving businesses to the cloud has become inevitable for organizations. The development of cloud computing has brought a lot of changes and opportunities, but it also has introduced many risks that cannot be ignored. NSFOCUS’s cloud strategy helps customers to discover exposed attack surfaces and manage and mitigate risks continuously, and helps partners expand security capabilities to increase competitiveness with value-added services in broader markets.