New ransomware exploits VMware ESXi vulnerability.
N2K logoFeb 6, 2023

A patch for the vulnerability has been available for two years.

New ransomware exploits VMware ESXi vulnerability.

France's Computer Emergency Response Team (CERT-FR) and Italy's National Cybersecurity Agency (ACN) have both warned of a widespread ransomware campaign that’s exploiting a vulnerability in VMware ESXi servers.

Thousands of servers infected.

The ransomware is exploiting CVE-2021-21974, which VMware patched in February 2021. BleepingComputer says at least 3,200 servers around the world have been infected. CERT-FR recommends that organizations apply all patches for ESXi hypervisors, and also verify that they haven’t already been compromised.

New ransomware based on Babuk source code.

According to BleepingComputer, security researcher Michael Gillespie is tracking the ransomware as “ESXiArgs.” It appears to be a new strain based on leaked source code from the Babuk ransomware. Gillespie said, “The use of the Sosemanuk algorithm is rather unique, and is usually only used in ransomware derived from the Babuk (ESXi variant) source code. This may perhaps be the case, but they modified it to use RSA instead of Babuk's Curve25519 implementation.”

Comment from industry on the ESXi exploitation.

 Boris Cipot, Senior Security Engineer from Synopsys Software Integrity Group, wrote to point out that of course patching is vital, but that it has to be approached systematically:

"Patching software isn't a nice-to-have; it is a necessity, especially when we're talking about computer systems used by companies. When a vulnerability is found, users must try to mitigate this and protect affected systems. One of the best ways to do so is to apply a patch, if one is on offer. Granted, there are instances when IT will need to apply the patch on a staging or test system first to ensure it will not interfere with normal operations. Nevertheless, this should not be used as a reason to delay patching for more than a year. If there is reason to delay the patching, then other measures should be put in place to compensate for this. 

"Patching software, be it commercial or open source, must be a planned procedure. To make it successful, companies must take a thorough approach, starting with an inventory of the software it uses. Once this inventory is established, it is critical that the company is regularly kept up to date on any changes or news about the software. That way, if a vulnerability is identified, those responsible can take the necessary steps to protect their systems. If a patch is made available, this should be tested and applied to affected systems as soon as possible. Organizations would benefit from having a clear, step-by-step guide, outlining the actions they need to take in these situations. This guide should be tested periodically as well. Without testing the plan and improving on it, one cannot be sure that it will work in reality."

Curtis Simpson, CISO at Armis, noted that exploitation isn't complex: “Tracked as CVE-2021-21974, the VMware security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't yet been updated. Given the growing number of cyber attacks, in addition to the ongoing threat campaigns from cybergangs and other bad actors, the ability to monitor and secure every asset is critical to protecting ongoing operations.”

(Added 5:30 PM ET, February 6th, 2023. Dan Mayer, Threat Researcher at Stairwell, sees opportunism in the threat actor's approach. If a system was unpatched, then it could be compromised, and this is typical of the Willie Suttonesque approach of financial hackers: 

“Remote code execution vulnerabilities in internet-facing services highlight the opportunistic nature of financially motivated threat actors. This threat actor appears to have indiscriminately scanned the web and encrypted any target of value they could execute code on. The truth is, there are always going to be unpatched systems either due to a calculated risk taken by the organizations or due to resource and time constraints. This attack exploiting unpatched systems highlights the importance of continuously monitoring the infrastructure for malicious activity and being prepared to respond.

And he sees global disparities at work as well. Labor is expensive and capital cheap in the US and similar economies, but the reverse is true in many other regions. Mayer adds:

"To me the biggest issue this attack highlights is the skill and income gaps across the globe. We do not have enough skilled IT professionals in nations where wealthy companies are targets. At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work. 3.4 million more cybersecurity workers are needed in the workforce to secure assets effectively. We need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn out to be part of the problem.”)

(Added 6:30 PM ET, February 6th, 2023. Arti Raman, CEO and founder of Titaniam, also sees the incident as illustrating criminal opportunism. “The reality today is that cybercriminals are exploiting any vulnerability they can find to infiltrate security systems, making it a matter of ‘when’ and not ‘if’ an organization will fall victim," she wrote. "As ransomware gangs become more aggressive in their tactics, so must enterprises with their cybersecurity tools."

Raman went on to outline the typical stages a ransomware attack goes through, and the measures that can help manage risk at each stage:

"Ransomware attacks occur in three major steps: infiltration, data exfiltration and system lockup. If cyberattackers succeed at any stage, they will then have further leverage that can be used to extort the victim. Organizations can invest in and use three major legs of cybersecurity to combat these stages: 

  • "Detection and prevention technologies so that any ransomware attack can be stopped before execution or identified before major spread. "
  • Data security tools designed to prevent large-scale data exfiltration, such as encryption-at-rest, encryption-in-transit and encryption-in-use. Encryption-in-use is a powerful and innovative security tool that can reduce ransomware, extortion and other data-related attacks.
  • "Backup and recovery solutions can be considered a final line of defense. Should the attackers make their way inside internal systems, these can be recovered without paying expensive ransoms. 

"Enterprises cannot expect these solutions to work alone, however. They need all three to defend against the onslaught of ransomware attacks we will continue experiencing in 2023. By implementing this three-part defense, organizations can help to neutralize cyberattacker leverage in cases of ransomware exfiltration and extortion.“

Aaron Sandeen, CEO and co-founder of Cyber Security Works, also offered observations. He points to the role a CISO can and should play in helping an organization maintain situational awareness:

“Organizations around the world, both public and private, have cause for concern about the latest VMware vulnerability exploits because ESXi is commonly integrated into enterprise digital infrastructure for everyday operations. Beyond the IT team, most executives and employees are unfamiliar with the underlying technical systems that power their organization. This is why a CISO is essential in documenting all technical assets to accurately communicate to leadership the level of cyber risk each opens the organization to.

"Maintaining an ongoing list of technical assets helps IT teams structure their vulnerability enumeration priorities and catch vulnerabilities in their solution stack before they’re exploited by bad actors. VMware released a patch for this specific vulnerability two years prior and highlights the necessity of constant vulnerability management.”)