VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack targeting VMware ESXi hypervisors.
"As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," the French Computer Emergency Response Team (CERT-FR) said.
"The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7."
This vulnerability was caused by a heap overflow issue in the Open SLP, which allowed the cyber criminals to run exploit code remotely, without prior authentication.
VMware urged their customers to install the latest security updates and disable the OpenSLP service.
“The SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise,” CERT-FR wrote in its notice.
They’ve also said that systems left unpatched should also be scanned to look for signs of compromise.
If you want to restore files or avoid file leads, please send 2.064921 bitcoins….
… Send money within 3 days, otherwise we will expose some data and raise the price…“
The Cybersecurity and Infrastructure Security Agency (CISA) went on to release an ESXiArgs recovery script. Organisations that have fallen victim to ESXiArgs ransomware could use this script to attempt to recover their files.
CISA and the Federal Bureau of Investigation (FBI) encouraged all organisations managing VMware ESXi servers to:
- Update servers to the latest version of VMware ESXi software,
- Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and
- Ensure the ESXi hypervisor is not exposed to the public internet.
But Bleeping Computer reported later that day that a second ESXiArgs ransomware wave had started. This wave included a modified encryption routine that encrypts far more data in large files.
They reported that “the encryptor had not changed, but the encrypt.sh script's 'size_step' routine had been taken out and simply set to 1 in the new version.”
“…this change causes the encryptor to alternate between encrypting 1 MB of data and skipping 1 MB of data.”
This change means files over 128MB will now have 50% of their data encrypted, meaning it’s unlikely they can be recovered. It also prevents the previous recovery tools from successfully recovering machines, and the files will have too much encrypted data to be useable.
Advice From Our Experts
Digital Forensics and Incident Response Consultant, Carl Pearce, gives some advice on what affected organisations should do next:
The patch was issued in February 2021 but given the nature of hypervisors, it is often difficult and highly impactful to organisations when patches to these foundational servers are required. It is highly likely that servers will require a restart but this should not put off administrators from installing the patch (an hours downtime is better than total destruction of all the data). Anecdotal comments suggest the total process, including reboots is about 40 minutes.
The patch and advisory ID can be found On the VMWare Website or by looking up the VMWare Advisory ID “VMSA-2021-0002”
Do You Need Help Responding to a Cyber Incident?
If you need help recovering from a cyber incident, get in touch with our expert team today. At 3B Data Security, we have extensive experience and expertise gained from conducting a wide variety of incident response and data breach investigations ranging in size and complexity.
We’re approved under the recognised UK national body CREST Cyber Security Incident Response (CSIR) scheme. Our consultants even helped design the CREST Certified Incident Manager (CCIM) accreditation.