Security
Headlines
HeadlinesLatestCVEs

Headline

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

The malware has affected thousands of VMware ESXi hypervisors in the last few days.

DARKReading
#vulnerability#mac#git#intel#rce#vmware

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for victims of the ESXiArgs ransomware variant that affected thousands of organizations worldwide this week.

CISA’s ESXiArgs-Recover tool is available for free on GitHub and organizations can use it to attempt the recovery of configuration files on vulnerable VMware ESXi servers that the ransomware variant might have encrypted. Some organizations that used the tool have successfully recovered their encrypted files without having to pay a ransom, the agency noted.

However, any cybersecurity team that plans to use the tool should first make sure they understand how it works before attempting to recover files that EXSIArgs might have encrypted, CISA cautioned. “CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is [a] fit,” for their environments, it noted.

ESXiArgs is a ransomware variant that France’s Computer Emergency Response Team (CERT) first spotted Feb. 3 targeting VMware ESXi hypervisors worldwide. The malware exploits a 2-year old — and long-patched — remote code execution vulnerability (CVE-2021-21974) in Open Service Location Protocol (OpenSLP), an ESXi service for resolving network addresses.

What is ESXiArgs?

ESXiArgs has already infected more than 3,000 unpatched servers in the US, Canada, and multiple other countries. Victims have reported receiving a ransom demand of around 2 Bitcoin (or around $22,800 at press time) for the decryption key. Affected organizations have also reported the threat actor behind the campaign warning them to pay up within three days or risk having their sensitive information released publicly.

Security researchers that have analyzed ESXiArgs describe the malware’s encryption process as specifically targeting virtual machine files so as to render the system unusable. In an alert earlier this week, Rapid 7 reported the malware was trying to shut down virtual machines by killing a specific process in the virtual machine kernel that handles I/O commands. In some cases, though, the malware was only partially successful in encrypting files and gave victims a chance to recover data, according to Rapid7.

In a Feb. 8 update, Rapid7 said its threat intelligence shows that multiple ransomware groups, in addition to the operator of ESXiArg, are targeting CVE-2021-21974 and other VMware ESXi vulnerabilities.

Recovery Tool Based on Published Information

CISA’s recovery script is based on the work of two security researchers — Enes Sonmez and Ahmet Aykac — who showed how victims of ESXiArgs could reconstruct virtual machine metadata from disks that the ransomware might have failed to encrypt.

“This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA said. “While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit.”

VMware itself has urged organizations to implement the patch it issued two years ago for the flaw that ESXiArgs is exploiting. As a temporary measure, organizations that have not patched the flaw should disable ESXi’s service location protocol (SLP) to mitigate the risk of attack via ESXiArgs, VMware said. Another measure: Disable port 427 (the one SLP uses), where possible, Singapore’s SingCERT advised in a notice.

Related news

Keep Tier-One Applications Out of Virtual Environments

Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.

'MichaelKors' Showcases Ransomware's Fashionable VMware ESXi Hypervisor Trend

Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.

New ESXiArgs encryption routine outmaneuvers recovery methods

Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.

New ESXiArgs Ransomware Variant Emerges After CISA Releases Decryptor Tool

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB

CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

Two year old vulnerability used in ransomware attack against VMware ESXi

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.

New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an

CVE-2022-1941: Security Bulletins  |  Customer Care  |  Google Cloud

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

CVE-2021-21974: VMSA-2021-0002

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel