ESXiArgs Ransomware Attack: VMware ESXi Servers

ESXiArgs. Ransomware:

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) issue a warning that attackers actively target VMware ESXi servers that have not yet received a patch for a two-year-old remote code execution vulnerability in order to spread the ESXiArgs ransomware.

Ransomware produces a second file with the extension.args after encrypting a document, the campaign is known as ESXiArgs. According to researchers, the file contains instructions on how to decode the victim document. The ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a .args file for each encrypted document with metadata (likely needed for decryption).

A known two-year-old software vulnerability is being exploited by a ransomware assault that targets VMware ESXi systems. When the defect was originally found in February 2021, according to VMware, a fix was released, and the company recommended users to install it if they had not previously.

The most recent assault makes use of a vulnerability, CVE-2021-21974, which is brought on by a heap overflow problem. Unauthenticated users who conduct “low-complexity assaults” can take advantage of it. This new campaign has had a significant impact due to the number of unpatched machines, Italian officials warned.

CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

A Censys search reveals that around 2,500 VMware ESXi servers globally have been affected by the ESXiArgs ransomware campaign.

 

Deep Analysis of attack 

The encryptor is launched using a shell script file, and command line arguments and the ransomware attacks on ESXi virtual machines use the following steps:

  1. The script runs a command to change the strings “.vmdk” and “.vswp” in the virtual machine’s configuration files (.vmx) to “1.vmdk” and “1.vswp“. It then force-terminates all processes that contain the string “vmx” in order to terminate all running virtual machines.
  2. The command below is run to obtain a list of ESXi volumes:
  3. esxcli storage filesystem list | grep “/vmfs/volumes/” | awk -F’ ‘ ‘{print $2}’
  4. The script will create a [file name].args file in the same folder for each found file with target extensions, which contains the computed size step, ‘1’, and the file size. The script will then use the “encrypt” executable to encrypt the files based on the computed parameters.
  5. Following encryption, the script will replace the ransom notes in the ESXi index.html file and the server’s motd file.
  6. Lastly, the script removes a backdoor installed in /store/packages/vmtools.py and deletes various lines from the following files:

/var/spool/cron/crontabs/root

/bin/hostd-probe.sh

/etc/vmware/rhttpproxy/endpoints.conf

/etc/rc.local.d/local.sh

 

Remediation:

  • System administrators must disable the Service Location Protocol (SLP) service on vulnerable ESXi hypervisor products that have not yet received updates in order to stop such attacks.
  • CERT-FR strongly advises downloading and installing the update right away. Additionally, it states that outdated systems need to be scanned for indicators of breaches.
  • All administrators should ensure that vmtools.py is removed
  • Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats.
  • Deploy the patch: Deploy the patch to all affected systems as soon as possible, making sure to follow best practices for software updates.
  • Monitor systems: Monitor the systems for any unusual activity to ensure that the patch has been applied successfully and that the vulnerability has been remediated.