Last updated at Wed, 08 Feb 2023 19:35:43 GMT

On February 3, 2023, French web hosting provider OVH 和法国 CERT issued warnings about a ransomware campaign that was 针对 VMware ESXi servers worldwide with a new ransomware strain dubbed “ESXiArgs.” The campaign appears to be leveraging cve - 2021 - 21974, a nearly two-year-old heap overflow vulnerability in the OpenSLP service ESXi runs. The ransomware operators are using opportunistic “spray 和 pray” tactics 和 have compromised 数百台ESXi服务器 显然是在过去的几天里 包括 servers managed by hosting companies. ESXi servers exposed to the public internet are at particular risk.

考虑到漏洞的年龄, it is likely that many organizations have already patched their ESXi servers. 然而, since patching ESXi can be challenging 和 typically requires downtime, some organizations may not have updated to a fixed version.  

更新: 2023年2月7日, 中钢协发布了恢复脚本 for organizations impacted by ESXiArgs which "works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware."

受影响的产品

The following ESXi versions are vulnerable to cve - 2021 - 21974, per VMware’s 原来的咨询:

  • ESXi版本7.在ESXi70U1c-17325551之前
  • ESXi版本6.7.ESXi670-202102401-SG之前的版本
  • ESXi版本6.5.ESXi650-202102101-SG之前

安全新闻媒体 注意到 that earlier builds of ESXi appear to have also been compromised in some cases. It is possible that attackers may be leveraging additional vulnerabilities or attack vectors. We will update this blog with new information as it becomes available.

2023年2月8日更新: Based on Project Sonar telemetry 和 the affected build ids, Rapid7相信, 满怀信心, 至少有18个,581 vulnerable internet facing ESXi servers at the time of this writing.

攻击者的行为

OVH已经 观察到以下内容 as of February 3, 2023 (lightly edited for 英语 translation):

  • The compromise vector is confirmed to use a OpenSLP vulnerability that might be cve - 2021 - 21974 (still to be confirmed [as of February 3]). The logs actually show the user “dcui” as involved in the compromise process.
  • Encryption is using a public key deployed by the malware in /tmp/public.pem
  • The encryption process is specifically 针对 virtual machines files (“.vmdk”、“.vmx”、“.vmxf”、“.vmsd”、“.vmsn”、“.vswp”、“.虚拟机”、“.nvram”、“*.vmem”)
  • The malware tries to shut  down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.
  • The malware creates “argsfile” to store arguments passed to the encrypt binary (number of MB to skip, 加密块的MB数, 文件大小)
  • 未发生数据泄露.
  • In some cases, encryption of files may partially fail, allowing the victim to recover data.
2023年2月8日更新: According to Rapid7 threat intelligence, this vulnerability 和 other ESXi vulnerabilities are actively being exploited by ransomware groups other than ESXiArgs.

缓解指导

ESXi customers should ensure their data is backed up 和 should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur. ESXi instances should not be exposed to the internet if at all possible. 管理员还应该 关闭OpenSLP服务 如果它没有被使用.

Rapid7客户

A 漏洞检查 for cve - 2021 - 21974 has been available to InsightVM 和 Nexpose customers since February 2021.

更新

2023年2月8日15:35 UTC
—增加了 CISA恢复脚本 于2023年2月7日上映
2023年2月8日19:32 UTC
- Added Project Sonar telemetry information
- Added information regarding exploitation by groups other than ESXiArgs