Global ESXiArgs Ransomware Attack on the Back of a Two-Year-Old Vulnerability
By John Fokker, Alfred Alvarado, Tim Hux, Jeffrey Sman, Joao Marques · February 09, 2023
Early this week, VMware issued a publication regarding a massive global ransomware campaign targeting “End of General Support (EOGS) and/or significantly out-of-date ESXi products.” The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet. VMware remediated the vulnerability and released a patch that has been available for general deployment as of February 23, 2021, as a precaution VMware also disabled the OpenSLP protocol by default for future product installations.
What is the OpenSLP protocol?
OpenSLP, the Open Service Location Protocol, was designed to allow machines in a local area network to discover services within the local environment. With that in mind, attackers are actively scanning internet resources for public facing devices to identify server services and or protocols that may be exploitable and have been exposed to the internet.
How it is it exploited?
According to VMware, the proof-of-concept code available and activity that has been observed, threat actors are actively scanning the internet for vulnerable ESXiArgs servers that are susceptible to this remote code execution vulnerability. Once the exploitable machine is identified the attacker attempts to create a heap buffer overflow and execute code remotely to compromise the server.
Often the vulnerable service or protocol has a patch available but not deployed and the threat actors use publicly known, or known to the attacker, code to exploit the vulnerabilities for initial access. As is in the case of the activity surrounding the ESXArgs attacks, the patch was available in early 2021; servers that are not updated or upgraded are targeted for compromise.
The ESXArgs ransomware activity follows VMware vulnerabilities previously reported on by our Trellix Advanced Research Center in 2022, (ContiESXi, NewGold). Once the vulnerability has been exploited, threat actors deploy a ransomware variant dubbed ESXArgs. This is due to artifacts identified in analyzed samples as well as the fact an “. args” extension is appended to targeted files, which also contain metadata that is suspected to aid in the identification and decryption process. Files targeted by the threat actors include those with the following extensions: “.vmxf”, “.vmx”, “.vmdk”, “.vmsd”, and “.nvram” extensions. Once the targeted data is encrypted, the malware performs clean up tasks to deleting log files, remove the Python based backdoor and delete various lines from several files to hinder recovery and analysis.
Remediation and mitigation
VMware has acknowledged the vulnerability exists and published a patch to fix the vulnerability in February of 2021. They have also provided documentation on the vulnerable versions currently being targeted as of their public release on Monday, January 6, 2023. Upgrading and/or patching is the recommended course of action where and as soon as possible, as well as the disablement of the OpenSLP protocol.
Furthermore, the Cybersecurity & Infrastructure Security Agency (CISA) has published a recovery script for those who have been victimized by the ESXiArgs campaign.
Conflicting information as to whether the malware has successfully exfiltrated data exists, and the variant of ransomware is speculated to be redeveloped source code form the leaked and now defunct Babuk Ransomware family. Regardless of speculation or fact, it is important server administrators follow recommendations for remediation by VMware to patch vulnerable servers and disable the OpenSLP service wherever possible.
The Trellix Advanced Research Center continues to monitor the ESXiArgs activity and will provide updates to telemetry, detections and indicators vetted by our research teams.
Indicators of compromise:
|T1059 - Command and Scripting Interpreter|
|T1064 - Scripting|
|T1543.002 - Systemd Service|
|T1522 - File and Directory Permission Modification|
|T1027 - Obfuscated Files or Information|
|T1082 - System Information Discovery|
|T1083 - File and Directory Discovery|
|T1518.001 - Security Software Discovery|
|T1071 - Application Layer Protocol|
|T1573 - Encrypted Channel|
|T1070 - Indicator Removal|
|T1070.004 - File Deletion|
|T1574.002 - DLL Side-Loading|
|T1497 - Virtualization/Sandbox Evasion|
|T1070.006 - Timestomp|
|T1057 - Process Discovery|
|T1095 - Non-Application Layer Protocol|
|T1059.004 - Unix Shell|
|T1190 - Exploit Public-Facing Application|
|T1522 - Cloud Instance Metadata API|
|T1489 - Service Stop|
|T1486 - Data Encrypted for Impact|
Trellix Product Coverage:
|Endpoint Security (ENS)||Ransom-ESXiArgs.a
|Endpoint Security (HX)||ESXIARGS RANSOMWARE LINUX (FAMILY)
|Network Security(NX) Detection as a Service
|Helix|| rule ID-1.1.3987 (ESXIARGS RANSOMWARE [Linux arguments])
rule ID-1.1.3989 (EXPLOIT - VMWARE [CVE-2021-21972 Success])
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.