Ransomware Campaigns Compromise More VMware ESXi HostsMultiple Long-Patched Flaws May Be Getting Exploited, Virtualization Giant Warns
Attackers are continuing to target unpatched VMware systems to infect them with crypto-locking malware such as ESXiArgs and hold them to ransom.
See Also: 2022 Unit 42 Incident Response Report
Since these attacks came to light early this month, VMware has urged all ESXi users to immediately update to a currently supported version of ESXi, which will block one or more flaws being exploited by multiple groups of attackers. Security firm Rapid7 reported Friday that its internet scans found "at least 18,581 vulnerable internet-facing ESXi servers" that have yet to be patched.
The highly automated ESXiArgs ransomware campaign appears to have arrived in at least two waves. The first wave amassed nearly 3,000 known hosts as of Feb. 8, although researchers suspect there may have already been thousands more.
In recent days, attack surface management firm Censys has seen more 500 ESXi servers get newly infected with ESXiArgs ransomware. For unknown reasons, it says, these attacks appear to be mostly limited to servers located in France and Germany, and smaller numbers of attacks have taken place in the Netherlands, the United Kingdom and Ukraine.
During the first wave of attacks, security researchers detailed workarounds that could be used to restore some affected systems, and the U.S. Cybersecurity and Infrastructure Security Agency released a script to help victims rapidly use this recovery approach.
"The script works by allowing users to unregister virtual machines that have been encrypted by the ransomware and re-register them with a new configuration file," Rapid7 researchers Erick Galinkin and Drew Burton say in a blog post. "However, you still need to have a backup of the encrypted parts of the VM to make a full restore."
In response to that workaround, attackers last week launched a second wave of attacks, altering their code so CISA's recovery script no longer works. Attackers also updated their ransom notes to no longer include a unique bitcoin cryptocurrency wallet address for victims to transfer their ransom. Researchers had counted these addresses to count victims. Now, the ransom note instructs victims to message attackers to receive an address.
Multiple details surrounding the ESXiArgs campaign remain unclear. Researchers at cybersecurity firm Trellix say there are conflicting reports as to whether these attacks may include data exfiltration, or if the variant of ransomware is "redeveloped source code from the leaked and now-defunct Babuk ransomware family."
Early versions of the ransomware campaign targeted a heap overflow vulnerability, designated CVE-2021-21974, in the OpenSLP service in ESXi.
VMware warns that there is no proof that this is the only ESXi vulnerability being targeted. Rather, attackers appear "to be targeting 'end of general support' or significantly out-of-date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories," a company spokesperson tells Information Security Media Group.
On the upside, VMware reports there is no "evidence that would suggest an unknown or zero-day vulnerability is being used to propagate the ransomware in the ESXiArgs attacks."
Defending against ESXiArgs thus requires, in part, getting all ESXi systems updated as quickly as possible. "Organizations that are running versions of software older than current releases are at risk and should be updated to the latest versions immediately," VMware says in an FAQ about the ransomware attacks.
VMware also recommends users lock down any ESXi servers that are exposed to the internet. "Organizations that place their IT infrastructure systems' management interfaces directly on the internet should take immediate steps to verify filters and additional security controls in front of them, reviewing those controls for effectiveness," it says.
Experts say normal cyber hygiene rules very much apply to managing virtualized environments. "People need to be aware of their exposures to the internet, reduce their attack surfaces, ensure they have implemented the vendor guidance, and where possible look to deploy allow lists or VPNs to protect management interfaces," says Daniel Card, a cyber specialist at London-based Xservus Limited.
RansomExx2 Enters the Fray
The ESXiArgs ransomware is so named because after the attack campaign hits a hypervisor, it leaves multiple file types, including virtual machines, crypto-locked with an
.args extension appended to the filename. Italy's cybersecurity agency has suggested the BlackBasta ransomware group may be tied to the attacks, although it has not shared any supporting evidence.
But a different campaign using malware called RansomExx2 has also been targeting CVE-2021-21974 on unpatched servers, the Rapid7 researchers say. They describe RansomExx2 as "a relatively new strain of ransomware written in Rust and targeting Linux" and say that malware written in Rust can be relatively difficult for endpoint security systems to detect.
While the ESXiArgs campaign was first spotted early this month, Censys' researchers Mark Ellzey and Emily Austin write in a blog post that the attacks may have begun months earlier, based on similarities they've found between ESXiArgs ransom notes and prior attacks.
"During analysis, we discovered two hosts with strikingly similar ransom notes dating back to mid-October 2022," they say. This could reveal early stages of the ESXiArgs ransomware campaign when attackers were testing and refining "their methods on a select few hosts." While it's not clear which flaws attackers were exploiting at that time, the attacks occurred "just after ESXi versions 6.5 and 6.7 reached end of life," they say.
In response to the ransomware campaign, VMware has issued detailed tips for keeping vSphere and cloud infrastructure secured.
"The security of our customers is a top priority at VMware, and we recommend organizations upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," says a spokesperson. "Customers should also visit VMware's tips for updating ESXi to learn more about moving workloads to patch. Additional recommendations are available in VMware's customer blog on ESXiArgs ransomware."
VMware recommends that whenever possible, users employ the vMotion component of vSphere, which it designed to facilitate "zero downtime live migration of workloads from one server to another," and which can be used to "move workloads seamlessly so that ESXi can be patched." The vSphere Update Manager component can be used to update and patch individual ESXi hosts.
Hypervisors Under Fire
This will not be the last attack campaign to target unpatched hypervisors and attempt to crypto-lock their virtual machines.
"Virtual infrastructure is a high-value target, precisely because organizations run their most important workloads there," Paul Turner, vice president of product management for VMware's cloud infrastructure platform, writes in a Wednesday blog post.
But Xservus' Card says patching any type of hypervisor can be challenging. "It's very easy to deploy a virtualized environment but when it comes to updates, it is a pain. Also, it's very easy to not do that because of constraints involving time, money and skills."
In addition, if organizations have a single host, updating it will require downtime, "which organizations often don't like," Card says. "When they are clustered, it's usually easier, but there is often more cost for host-hypervisor infrastructure/licenses and possible guest virtual machine software."
As with any system at risk from ransomware, Rapid7 says the ESXiArgs attack campaign is a reminder that anyone using virtual machines must ensure they're getting backed up. "Make sure you have a backup solution in place, even for virtual machines," it says. "There are a wide variety of backup solutions available to protect virtual machines today."