An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday.
The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what’s known as a bare-metal, or Type 1, hypervisor, meaning it’s essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as VMware’s VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes such as Windows, Linux or, less commonly, macOS.
Advisories published recently by computer emergency response teams (CERT) in France, Italy, and Austria report a “massive” campaign that began no later than Friday and has gained momentum since then. Citing results of a search on Census, CERT officials in Austria, said that as of Sunday, there were more than 3,200 infected servers, including eight in that country.
“Since ESXi servers provide a large number of systems as virtual machines (VM), a multiple of this number of affected individual systems can be expected,” the officials wrote.
The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that’s incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.
Over the weekend, French cloud host OVH said that it doesn’t have the ability to patch the vulnerable servers set up by its customers.
“ESXi OS can only be installed on bare metal servers,” wrote Julien Levrard, OVH’s chief information security officer. “We launched several initiatives to identify vulnerable servers, based on our automation logs to detect ESXI installation by our customers. We have limited means of action since we have no logical access to our customer servers.”
In the meantime, the company has blocked access to port 427 and is also notifying all customers it identifies as running vulnerable servers.
Levrard said the ransomware installed in the attacks encrypts virtual machine files, including those ending in .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem. The malware then tries to unlock the files by terminating a process known as VMX. The function isn’t working as its developers intended, resulting in the files remaining locked.
Researchers have dubbed the campaign and the ransomware behind it ESXiArgs because the malware creates an additional file with the extension “.args” after encrypting a document. The .args file stores data used to decrypt encrypted data.
Researchers from the YoreGroup Tech Team, Enes Sonmez and Ahmet Aykac, reported that the encryption process for ESXiArgs can make mistakes that allow victims to restore encrypted data. OVH’s Levrard said his team tested the restoration process the researchers described and found it successful in about two-thirds of the attempts.
Anyone who relies on ESXi should stop whatever they’re doing and check to ensure patches for CVE-2021-21974 have been installed. The above-linked advisories also provide more guidance for locking down servers that use this hypervisor.