Widespread ransomware campaign targets VMware ESXi servers
The attacks exploited a two-year-old heap overflow vulnerability in VMware ESXi. Many questions remain about the scope of the campaign and the threat actor behind it.
A large-scale global ransomware campaign is hitting vulnerable VMware ESXi servers by exploiting a two-year-old vulnerability.
Reports of the ongoing threat activity began Friday morning when several cloud hosting providers and CERT-FR confirmed multiple VMware ESXi servers in France that were exposed to the internet suffered ransomware attacks. Threat actors appear to be exploiting CVE-2021-21974, a heap overflow vulnerability with an "important" severity rating that VMware publicly disclosed and released patches for in February of 2021.
Arnaud de Bermingham, president and founder of French cloud provider Scaleway, tweeted Friday morning that a fast-moving ransomware was infecting servers running VMware ESXi versions 6.x and urged users to upgrade immediately.
Hosting provider Ikoula also issued a ransomware alert Friday through Twitter, warning customers that client ESXi servers versions 6.5 and 6.7 suffered attacks. Additionally, it recommended disabling SSH access.
Shortly after, another cloud hosting provider based in France confirmed the threat activity as well. In a blog post Friday afternoon, OVHCloud CISO Julien Levrard stated "a wave of attacks" that had been detected globally by authorities were targeting ESXi servers, though no OVHCloud managed services were affected. More notably, he cited a possible attack vector -- the CVE-2021-21974 vulnerability.
CERT-FR then released the findings from its ongoing investigation, which began on Feb. 3. France's cybersecurity incident response team found attackers appeared to exploit the two-year-old ESXi flaw to access vulnerable servers. Additionally, the government agency warned organizations that it affected the Service Location Protocol (SLP) and attacks could lead to remote arbitrary code execution. Affected machines included ESXi versions 7.0, 6.7. and 6.5.
"Applying patches alone is not enough. Indeed, an attacker has probably already exploited the vulnerability and may have dropped malicious code," CERT-FR wrote in the bulletin. "It is recommended to perform a system scan to detect any signs of compromise."
While the campaign primarily affected European organizations beginning Friday, as of Monday, open source threat intelligence scans revealed the threat has spread to the U.S. and other countries. However, questions remain about the full scope of the campaign and the motive behind it. SHODAN search results indicate hundreds of servers have been infected worldwide, mostly in France and the U.S., while Censys results show approximately 2,000 infected servers.
A separate search by one security researcher found that more than 30,000 6.7 versions may be exposed to the internet, along with more than 15,000 related to version 6.5. So far there have been no security advisories from CISA, US-CERT or other cyber agencies in the U.S.
More details lead to more questions
TechTarget's sister publication LeMagIt provided additional campaign details in a Friday report, noting that the ransom notes demanded just over 2 bitcoins, with different payment addresses for each victim.
Initially, researchers linked it to the newer Nevada ransomware or CheersCrypt ransomware, which was connected to Chinese threat actors last year. However, multiple security researchers now believe the ransomware to be a new variant which they refer to as ESXiArgs due to the ".args" extension added to encrypted files after the ransomware is deployed.
In an update to the OVHCloud blog post Sunday, Levrard said the cloud provider made a mistake initially attributing the campaign to Nevada ransomware. He confirmed no further attribution but did note that "no data exfiltration occurred." Additional analysis also found a public key was used during encryption.
Levrar also noted in the Sunday update that Turkish security researcher Enes Sönmez devised a procedure for the recovery of VMDK files. "We tested this procedure as well as many security experts with success on several impacted servers. The success rate is about 2/3," he wrote. "Be aware that following this procedure requires strong skills on ESXi environments. Use it at your own risk and seek the help of experts to assist."
In a statement to TechTarget Editorial, a VMware spokesperson acknowledged the ransomware campaign and said the attacks "appear to be targeted end of general support or significantly out of data products leveraging known vulnerabilities previously address and disclosed" by VMware. "VMware has not found any evidence that would suggest an unknown or zero-day vulnerability is being used to propagate the ransomware in the ESXiArgs attacks. The security of our customers is a top priority at VMware, and we recommend organizations upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," the spokesperson said. "Additional recommendations, including disabling the OpenSLP service in older versions of ESXi, are available in VMware's customer blog on ESXiArgs ransomware."
The spokesperson also emphasized that CVE-2021-21974 was disclosed two years ago and patches were released to customers at that time.
The ransomware campaign is the latest threat against systems running VMware ESXi. Last year, Mandiant discovered a possible cyberespionage campaign against VMware ESXi hypervisors. While the initial access vector remained a mystery, Mandiant described the activity as "highly targeted."