⚡ TL;DR | Go Straight to the ESXi Version Audit
On February 3, 2023, the French National Computer Emergency Response Team (CERT) released a security advisory covering the ESXiArgs ransomware mentioning that “attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows an attacker to remotely exploit arbitrary code.”
French cloud services provider OVHcloud later released the following observations on 05/02/2023:
- The point of compromise is confirmed to be an OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dcui as involved in the attack process.
- Encryption is using a public key deployed by the malware in /tmp/public.pem
- The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
- The malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.
- The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
- No data exfiltration occurred.
In addition to these findings, OVHcloud also mentioned that link to the Nevada ransomware seemed to be unfounded, over the weekend, the new strain of has been dubbed ESXiArgs.
CVE-2021-21974
CVE-2021-21974 is the primary suspect for these attacks. While there isn’t any concrete proof that this vulnerability is the exact vulnerability being abused, there is proof that the attack use some sort of vulnerability in OpenSLP. This combined with the fact that we reported last September that nearly 60% of ESXi servers were running one of the end-of-life versions, means that there is a rather large chance organizations are using outdated versions.
CVE-2021-21974 is a heap-overflow vulnerability in VMware ESXi. The vulnerability is caused by a heap overflow in the OpenSLP service that is present in ESXi. An attacker can exploit this vulnerability by sending a malicious packet to the affected system, triggering the overflow and allowing the attacker to execute arbitrary code.
Discover Vulnerable Servers
VMware released patches by the beginning of 2021 for CVE-2021-21974, however, since there is no confirmation that this is the vulnerability being abused, it is recommended to update ESXi servers to the latest version as soon as possible. Based on the list of VMware versions available, our specialists have created a Lansweeper report that will provide you with a list of all devices that are at risk for the ESXiArgs ransomware in your environment. This way you have an actionable list of devices that require a patch.
