A global ransomware attack is targeting VMware ESXi servers by exploiting a known two-year-old software vulnerability. VMware says it issued a patch for this bug in February 2021 when it was first discovered and urged customers to apply the patch if they have not already done so.
First reported by Italy’s National Cybersecurity Agency (ACN) on Sunday, hackers are apparently targeting the vulnerability through unsecured servers. Attacks have been detected in Italy, France, Finland and the US so far, with thousands of users thought to have been hit.
ESXi by VMware is a virtualisation product that is part of the vSphere range. The enterprise-class hypervisor is designed for deploying and serving virtual computers, abstracting the CPU, storage and networking resources of a physical host computer into virtual machines.
The latest attack uses an exploit known as CVE-2021-21974 that is caused by a heap overflow issue. It can be exploited by unauthenticated users making “low-complexity attacks”. This new campaign has had a significant impact due to the number of unpatched machines, Italian officials warned.
It is targeting ESXi hypervisors on versions before 7.0 U3i through the OpenSLP port 427. To block the attack admins have to disable the vulnerable service location protocol service on ESXi hypervisors not currently patched. It is also recommended all unpatched machines are scanned to look for signs of compromise.
VMware ESXi ransomware: patch urgently
French cloud provider OVHCloud wrote in a blog post that the malware seems to exhibit specific behaviours including using an OpenSLP vulnerability, targeting virtual machine files and trying to shut down the virtual machines.
“Encryption is using a public key deployed by the malware,” the company wrote. “The encryption process is specifically targeting virtual machines files and the malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.”
Nobody has claimed responsibility for the attack but researchers suspect it is part of a new ransomware family being dubbed ESXiArgs. It encrypts .vmxf, vmx, vmdk, .vmsd and .nvram files and creates a .args file for each encrypted document. OVHCloud wrote that it doesn’t appear that any data has been stolen.
According to Bleeping Computer, servers hit with the attack have been left a ransomware note demanding just over two bitcoins be added to a wallet in return for the decryption key. It warns that if money isn’t sent within three days the price will be raised, files published online and customers notified.
Enes Sonmez & Ahmet Aykac from YoreGroup Tech Team wrote a guide to solving the problem and recovering virtual machines. They wrote: “Users are highly recommended to update their systems as soon as possible to reduce the risk of exploitation. To further protect against RCE attacks, it is also important to follow best practices for network security and to keep all systems up-to-date with the latest security patches.”