Tuesday, March 19, 2024

Hackers Actively Exploiting VMware ESXi Servers to Deploy Ransomware

CERT-FR, the French Computer Emergency Response Team (CERT-FR), as well as administrators and hosting providers, have issued a warning concerning new ransomware, called ESXiArgs, that has been discovered.

This vulnerability makes it possible for the attackers to deploy the ESXiArgs ransomware, which can have serious consequences for the affected servers and the data stored on them. 

It is important for administrators and hosting providers to ensure that their VMware ESXi servers are patched and up-to-date to prevent such attacks.

Behaviors Identified

  • Security analysts have determined that the compromise vector is based on an OpenSLP vulnerability that might be CVE-2021-21974.
  • The malware deploys a public key in /tmp/public.pem in order to encrypt its data.
  • The encryption process specifically targets files in virtual machines.
  • In an attempt to unblock the files on virtual machines, the malware kills the VMX process to shut down the virtual machines.
  • Argsfiles are created by the malware in order to store arguments passed to the encrypted binary as parameters.
  • The data was not exfiltrated in any way.

New ESXiArgs ransomware

Recently, there has been a new ransomware attack that has caught the attention of security experts. Upon analysis of the ransom notes left behind by the attackers, it has been determined that this attack does not seem to be related to the Nevada Ransomware. 

Instead, the ransom notes appear to be from a completely different, or “new,” ransomware family. This discovery highlights the ever-evolving nature of cyber threats and the need for constant vigilance and updates to security measures. 

After conducting a thorough review, the analyst has determined that the data in question has not been infiltrated. The investigation was prompted by an attack on a machine with over 500 GB of data stored on it, which showed typical daily usage of only 2 Mbps. 

In order to validate this conclusion, the analyst also reviewed traffic statistics for the past 90 days. No evidence was found of any outbound data transfer.

There have also been reports that victims have found ransom notes on locked systems with the names “ransom.html” and “How to Restore Your Files.html”.

Systems affected by CVE-2021-21974

There are a number of systems affected by CVE-2021-21974, including:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

ESXiArgs Technical Details

As a result of analyzing the script and the encryption encryptor, we have gained a deeper understanding of the attacks. There are several files that are stored in the /tmp folder when the server is hacked:-

  • encrypt – The encryptor ELF executable.
  • encrypt[.]sh – Shell scripts that perform various tasks prior to the execution of an encryptor, serving as the attack logic.
  • public[.]pem – The key used to encrypt a file is a public RSA key.
  • motd – The ransom note in text form will be copied to /etc/motd, so it is shown on login. The server’s original file will be copied to /etc/motd1.
  • index[.]html -ESXi’s home page will be replaced with the ransom note in HTML format. In the same folder, index1.html will be copied from the server’s original file.

This security breach has affected dozens of Italy organizations and caused concern among many others. The incident involved a threat to lock these organizations out of their systems, and it is likely that many of them have already been affected. 

In response to this situation, many more organizations have been warned to take action in order to avoid falling victim to this attack. The widespread nature of this incident has highlighted the importance of maintaining strong security measures to protect against similar threats in the future.

Network Security Checklist – Download Free E-Book

Website

Latest articles

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hack AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles