Headline
CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help victims of ESXiArgs ransomware. It has been dubbed SXiArgs-Recover.
According to CISA, SXiArgs-Recover is an open-source tool designed to help ransomware attack victims recover virtually any VMs (VMware virtual machines) that have been impacted by the currently active attack campaign involving the use of ESXiArgs ransomware. CISA noted that some organizations had used this tool to recover files without paying a ransom.
Alleged ESXiArgs Ransomware ransom note
CISA has developed this tool entirely using publicly available resources, such as a tutorial by Enes Sonmez and Ahmet Aykac. It does the job by reconstructing VM metadata from virtual disks that the malware didn’t encrypt. In its technical advisory, the agency stated that,
“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review it to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.”
CISA
Ransomware Attack Details
We reported earlier that threat actors are exploiting a high-severity ESXi remote code execution vulnerability, which VMware had patched back in 2021. The vulnerability was tracked as CVE-2021-21974 and is now being used to deploy file-encrypting malware targeting VMs.
This legacy bug allows attackers to perform remote code execution on ESXi hypervisors by initiating a heap-overflow issue in OpenSLP. Cybercriminals are threatening to leak the stolen data, but there hasn’t been any leak.
Ransomwhere is a ransomware payment tracker, according to which the number of victims targeted in this new attack wave is 3800, and four payments have been made worth a total amount of $88,000.
VMware’s Response
According to VMware, only unpatched and out-of-date products are targeted with known vulnerabilities like this; therefore, the company advised its customers to upgrade to the latest vSphere components.
It has also recommended that users disable the OpenSLP service in ESXi. It is worth noting that the ESXiArgs malware has not yet been linked to any known ransomware group, but the malware could be derived from the Babuk source code leaked in 2021.
- Decryptor key for Sodinokibi, REvil ransomware
- Decrypt data from Hakbit & Jigsaw ransomware
- List of Proxy IPs Exposed to Block Killnet’s DDoS Bots
Related news
Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
It's not just Internet-accessible hosts that are vulnerable, researchers say.
Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB
The malware has affected thousands of VMware ESXi hypervisors in the last few days.
By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware
The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.