An issue in the OpenSLP service of VMware ESXi caused a critical security flaw. The vulnerability is tracked as CVE-20121-21974.
Attackers were actively targeting Vmware ESXi servers that are vulnerable due to a 2-year-old unpatched remote code execution flaw, warned by the administrator, hosting providers and French Computer Emergency Response Team(CERT-FR). The ultimate goal of an attacker is to deploy a new ESXi Args ransomware.
An issue in the OpenSLP service of VMware ESXi caused a critical security flaw. The vulnerability is tracked as CVE-20121-21974. It allows unauthenticated attackers to carry remote code execution and can exploit the affected systems. The patch for this vulnerability has been available since 23 February 2021, said CERT-FR.
The system overflow occurs when the system tries to process more data than the designated memory allocation. So attackers can take control of the affected system, execute arbitrary code, steal sensitive information, or install malware such as ransomware. Therefore it is essential to patch VMware ESXi servers to protect against this vulnerability.
It advised admins to disable the vulnerable service location protocol(SLP) service and install the latest versions for ESXi servers to avoid incoming attacks. CERT-FR also suggested applying the patch as soon as possible and scanning the unpatched system to look for signs of compromise.
Systems affected by CVE 2021-21974:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
OVHcloud, a French cloud provider, published a report connecting this massive wave of attacks aiming at VMware ESXi servers to the Nevada ransomware campaign.
According to the experts and authorities, they might be related to Nevada ransomware and are using CVE 2021-21974 as a compromission vector. And the ransom note observed in this attack proved that they do not seem to have any connection to Nevada Ransomware and added they stem from a new Ransomware family.
The attack primarily targets ESXi servers in a version before 7.0 U3i through the OpenSLP port(427). A shodan search reveals that a minimum of 120 ESXi VMware servers were victims of the ransomware operation. And the number increased, with 2,400 VMware ESXi devices worldwide detected as compromised in the ransomware campaign.
VMware confirmed that the attack exploited the older ESXi flaws, not zero-day vulnerability. On compromised ESXi servers, ransomware encrypts files with extensions .vmxf, .vmx, .vmdk, .vmsd and .nvram and creates a .args file for each encrypted file with metadata(likely required for encryption).
The investigation has determined that data has not been infiltrated. The attacked machine had over 500GB of data but typically had daily usage of only 2Mbps. Reviewed traffic stats for the last 90 days, and found no evidence of outbound data transfer had occurred, said the admin.
Victims also found ransom notes named "ransom.html" and "How to Restore Your Files.html" on the locked system. Others said that their notes are plaintext files.
ID ransomware's Michael Gillespie tracked ‘ESXiArgs' and said encryption is, unfortunately, secure means no cryptography bugs allow decryption.
Analysis indicates that ESXi Args is likely based on leaked Babuk source code, previously used by other ESXi ransomware campaigns, such as CheersCrypt and the Quantum/Dagon group's PrideLocker encryptor.
ESXi Args and CheerScrypt have similar ransom notes, but the encryption method differs, making it uncertain if it is a new variant or just a shared Babuk codebase.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?