Ransomware Attack ESXi Servers with (to confirm) CVE-2021-21974
These days the landscape of cybercriminal activities seems to have as the only protagonists the Threat Actors who are carrying out an attack on publicly exposed VMware ESXi infrastructures.
In particular, OVH has released the following observations regarding the behavior of the ransomware:
The compromise vector is confirmed to use an OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dcui as being involved in the compromising process.
Encryption uses a public key deployed by the malware in /tmp/public.pem
The encryption process specifically targets virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
The malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.
The malware creates an .args file to store arguments passed to the encryption binary (number of MB to skip, number of MB in encryption block, file size)
No data exfiltration occurred.
The facts
The Service Location Protocol (SLP) used by different versions of Vmware ESXI is vulnerable to a known CVE-2021-21974. The CVE enables remote code execution by an attacker on port 427 used by OpenSLP.
After executing the ransomware, the following message is displayed on the web administration interface and command line interface:
The Threat Actor, as can be seen from the note, requires 2.021404 bitcoins in order to obtain the decryption key. At the link https://gist.github.com/cablej/c79102960c4615396e8ffc712136744a it’s possible to have a fairly complete list of wallets used by the Threat Actor.
Contrary to what was initially indicated, the malware used by the Threat Actors was not Nevada, but ESXiArgs.
However, we are talking about a vulnerability (see other info about this vulnerability on NVD database) that is almost 2 years old and for which the fixes released by the vendor are available. Furthermore, it’s not yet certain that the exploited vulnerability is actually CVE-2021-21974, and subsequently there was also talk of the CVE-2020-3992 vulnerability.
Which versions of VMware ESXi are vulnerable?
ESXi versions 7.x prior to ESXi70U1c-17325551 ESXi versions 6.7.x prior to ESXi670-202102401-SG ESXi versions 6.5.x prior to ESXi650-202102101-SG
How extensive is the attack?
It’s possible to get a good idea of the compromised surface using these queries within Shodan and Censys:
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.
This article explains how the Cyber Threat Intelligence platform SATAYO serves as a powerful resource to optimize processes and strengthen threat coverage within the Würth Phoenix Attacker Centric SOC. We will analyze the utilization of SATAYO's internal resources for creating Read More
Kasseika Threat Actor has joined the club of Threat Actors that currently use Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus/EDR software before carrying out malicious activities, such as encrypting files. Kasseika abuses the Martini driver, part of Read More
A Security Operation Center (SOC) is a service where the customer is an active participant. Establishing a good relationship with the customer is an important requirement for handling security incidents more efficiently. Our SOC analysts produce and deliver several reports, Read More
On November 25th, in collaboration with the universities of Verona, Padova, Trento, and Bolzano, we hosted the WPCTF event—a thrilling Capture The Flag (CTF) competition that engaged over 50 cybersecurity enthusiasts. In this blog post, we'll explore into our journey Read More
One of the primary responsibilities of a Security Operation Center (SOC) is to effectively manage issues related to monitoring the security perimeter. This involves the meticulous analysis of alerts, the creation of subsequent cases, and if necessary, the escalation of Read More