Thursday, March 28, 2024
HomeSECURITYThe fixed 2021 vulnerability is actively used in attacks on VMware ESXi...

The fixed 2021 vulnerability is actively used in attacks on VMware ESXi servers

-


The fixed 2021 vulnerability is actively used in attacks on VMware ESXi servers

The ESXiArgs campaign has already affected about 3200 servers – administrators were urged to scan their systems.

French Computer Emergency Response Team (CERT-FR) warns that attackers are actively exploiting RCE– 2021 vulnerability in unpatched servers VMware ESXi to deploy the new ESXiArgs ransomware.

Heap Buffer Overflow RCE Vulnerability in OpenSLP Service CVE-2021-21974 (CVSS: 8.8) can be exploited by an unauthenticated hacker. It is worth noting that a bug fix was released in February 2021.

To block incoming attacks, administrators must disable the vulnerable Service Location Protocol (SLP) on ESXi hypervisors that have not yet been updated. CERT-FR added that non-updated systems should also be scanned for signs of compromise.

CVE-2021-21974 affects the following systems:

  • ESXi version 7.x up to ESXi70U1c-17325551;
  • ESXi version 6.7.x up to ESXi670-202102401-SG;
  • ESXi version 6.5.x up to ESXi650-202102101-SG.

According to Censys, around 3,200 VMware ESXi servers worldwide were compromised in the ESXiArgs ransomware campaign. This malware encrypts “.vmxf”, “.vmx”, “.vmdk”, “.vmsd”, and “.nvram” files on compromised ESXi servers and creates an “.args” file for each encrypted document with metadata (probably required for decryption).

On infected systems, ESXiArgs leaves a ransom note called “ransom.html” and “How to Restore Your Files.html” in “.html” or “.txt” format.



ESXiArgs ransom note

Michael Gillespie of ID Ransomware analyzed the ransomware and stated that the encrypted files cannot be decrypted. For encryption, ESXiArgs generates 32 bytes using a secure pseudo-random number generator (CPRNG) and then this key is used to encrypt the file using Sosemanuk, a secure stream cipher. The file key is encrypted with RSA and appended to the end of the file.

The use of the Sosemanuk algorithm indicates that ESXiArgs is likely based on Babuk source code leak which was previously used in other anti-ESXi campaigns such as CheersCrypt .

Earlier, cybersecurity researcher Will Thomas of the Equinix Threat Intelligence Center (ETAC) found that a new version of the Royal Ransomware ransomware added support for encrypting Linux devices. for attacks on VMware ESXi virtual machines .

For those affected, security researcher Enes Sonmez created a guide , which will help administrators to reconfigure their virtual machines and restore data for free. And the specialists of the publication BleepingComputer launched dedicated ESXiArgs support topic where people report their experiences with this attack and get help in recovering machines.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular