Are you using VMware ESXi servers?

Why should you worry?

Unpatched VMware ESXi servers are actively being attacked against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware.

Described as CVE-2021-21974, the security weakness is triggered by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.

Ransomware infection is a Cybersecurity incident where malicious actors encrypt files and demand ransom payment to decrypt. Malicious actors may also demand ransom payment to not release stolen data.

Cert-In mandates reporting such cyber incidents to them within 6 hours.

Who is affected?

The systems currently targeted are ESXi hypervisors in version 6.x and prior to 6.7.

CVE-2021-21974 affects the following systems:

• ESXi versions 7.x prior to ESXi70U1c-17325551
• ESXi versions 6.7.x prior to ESXi670-202102401-SG
• ESXi versions 6.5.x prior to ESXi650-202102101-SG

ESXiArgs ransomware

The ransomware ESXiArgs poses a danger to VMware ESXi virtual environments. The purpose of this ransomware attack, like with any other, is to encrypt sensitive data and demand a ransom payment for the decryption key. On the hacked ESXi hosts, the ransomware encrypts files with the.vmxf,.vmx,.vmdk,.vmsd, and.nvram extensions and creates a.args file with metadata for each encrypted document (likely needed for decryption).

The impact of a ESXiArgs attack can be devastating for organizations that rely on their virtual environments to store and manage important data. In addition to the disruption caused by the loss of access to data, organizations may also face financial losses, including the cost of paying the ransom, as well as the cost of rebuilding the affected systems.

How to prevent the attack?

• Regularly update the ESXi hosts, virtual machines, and any dependent software. Users should upgrade to the most recent version of ESXi in order to prevent potential threats and limit access to the OpenSLP service to trustworthy IP addresses.
• Use strong passwords and implement two-factor authentication to secure access to the ESXi environment.
• Implement a backup strategy and regularly back up virtual machines and data to an off-site location.
• Enable security features, such as firewall and network segmentation, to limit the attack surface.
• Regularly monitor network activity and system logs for signs of suspicious activity.
• Educate employees by conducting trainings on safe computing practices, including avoiding suspicious links and attachments and reporting any suspicious activity.
• Consider implementing endpoint protection software, such as antivirus and anti-malware software, to protect against ransomware and other attacks.

Dos and Don’ts if you are affected

Do’s

• Isolate the infected system from the network to prevent the ransomware from spreading to other systems.
• Report the ransomware attack to the authorities, such as law enforcement, to help identify the attackers and to prevent future attacks.
• Seek assistance from a trusted cybersecurity professional who has experience with investigating and removing ransomware.
• Regularly back up important data to an off-site location to ensure that it is protected in the event of a ransomware attack and can be restored to its functional state.
• Consider using an encrypted backup to protect sensitive data from theft or unauthorized access.
• Implement security measures, such as firewalls and network segmentation, to limit the attack surface and prevent future attacks.
• Regularly update the software and operating systems to ensure that they are protected from known vulnerabilities and flaws.
• Educate employees about safe computing practices, such as avoiding suspicious links and attachments and reporting any suspicious activity.

Don’ts

• Do not immediately pay the ransom, paying the ransom does not guarantee that the attacker will provide the decryption key, and it may encourage further attacks or the development of new ransomware variants.
• Do not attempt to manually remove the ransomware as attempting to manually remove the malware may cause further damage to the system and potentially lead to the permanent loss of data.
• Do not ignore the infection, ignoring the infection will not make it go away, and the ransomware may continue to encrypt more data or spread to other systems.
• Do not connect the infected system to other networks as it may spread the ransomware and potentially infect other systems.