It's not just Internet-accessible hosts that are vulnerable, researchers say.

Security teams working to secure their organizations against a nearly two-year-old vulnerability in VMware's ESXi hypervisor technology that attackers suddenly began exploiting en masse last week must pay attention to all ESXi hosts in the environment, not just Internet-accessible ones.

That's the advice of security vendor Bitdefender after it analyzed the threat and discovered that attackers can exploit it in multiple ways.

**Two-Year-Old Flaw**

The vulnerability in question, CVE-2021-21974, is present in VMware's implementation of a service delivery protocol in ESXi called Open Service Location Protocol (OpenSLP). The vulnerability gives unauthenticated attackers the ability to remotely execute malicious code on affected systems without any user interaction.

VMware disclosed the vulnerability in February 2021 and issued a patch for it at the same time. Since then, attackers have targeted it heavily and made CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2022. On Feb. 3, France's computer emergency response team warned about bad actors exploiting CVE-2021-21974 to distribute a ransomware variant dubbed ESXiArgs ransomware on ESXi hosts around the world.

The widespread nature of the attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to try to recover their systems.

Martin Zugec, technical solutions director at Bitdefender, says though the initial compromise vector remains unknown, a popular theory is that it is via direct exploitation through Internet-exposed port 427. VMware itself has recommended that if organizations cannot patch immediately, they should block access to port 427.

While that measure can slow down an adversary, it does not eliminate risk from the flaw entirely because attackers can exploit the vulnerability in other ways as well, Zugec says. If an organization blocks port 427, for instance, an attacker could still compromise one of the virtual machines running on an ESXi host via any existing vulnerability.

They could then escape the compromised virtual machine to exploit the vulnerability in OpenSLP and gain root access to the host, he says.

**Other Ways to Exploit Flaw**

"Threat actors can use any existing vulnerability to compromise a virtual machine — whether it's Linux or Windows-based," Zugec notes.

A threat actor can also relatively easily buy on the Dark Web access to a previously compromised virtual machine and attempt OpenSLP remote code execution against the hosting hypervisor, he says.

"If successful, the threat actor can gain access not only to the hypervisor host, but also to all other machines running on the same server," Zugec says. "The OpenSLP exploit in this case would allow a threat actor to escalate their access and move laterally to other — potentially more valuable — machines."

Zugec says Bitdefender has so far seen no evidence of attackers exploiting the VMware ESXi vulnerability in this manner. But, given the major focus on direct exploitation via port 427, Bitdefender wanted to warn the public about other methods to exploit this vulnerability, he says. In addition to blocking access to port 427, VMware has also recommended that organizations that cannot patch CVE-2021-21974 simply disable SLP where possible.

**Shades of WannaCry**

Bitdefender said its analysis of the latest attacks targeting CVE-2021-21974 suggest that the threat actors behind them are opportunistic and not very sophisticated. Many of the attacks appear completely automated in nature, from initial scans for vulnerable systems to ransomware deployment.

"We can compare this to WannaCry," Zugec notes. "While these attacks can reach a wide range of machines, the impact remains limited."

But more sophisticated threat actors would use the flaw in ESXi to conduct a much larger operation, he says. Initial access brokers, for instance, could deploy a remote Web shell and disable SLP service so other threat actors cannot exploit the same flaw. They could then simply lie in wait for the best opportunity to monetize their access. Potential options could include data theft, surveillance, and cryptojacking.

To fully address the risk of a cyberattack exploiting the VMware vuln, Bitdefender — like VMware and others — recommends that organizations apply the patch for it immediately.

Embattled VMware ESXi Hypervisor Flaw Exploitable in Myriad Ways

Categories: News
Categories: Ransomware
Tags: ESXi

Tags:  ESXiArgs

Tags:  encryption routine

The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script



(Read more...)




The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.

In what seems to be a typical arms race where one side responds to counter the progress the other side has made, the ransomware group behind the massive attack on ESXi Virtual Machines (VMs) has come up with a new variant that can no longer be decrypted with the recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA).

**New encryption routine**

Victims have reported a new variant of the encryptor that no longer leaves large chunks of data unencrypted. This makes recovery next to impossible. The recovery script released by CISA for organizations that have fallen victim to ESXiArgs ransomware reportedly no longer works for this new variant. CISA compiled the ESXiArgs-Recover tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. The decryption tool uses the large and therefore mostly non-encrypted flat files, where the virtual machine's disk data is stored, to recover the VMs.

Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB. This ensures that all files larger than 128 MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant.

**Ransom note**

Victims can tell the variants apart by looking at the ransom note. The new variant no longer mentions the Bitcoin address in the ransom note, but tells victims to contact the threat actor on TOX, an encrypted messaging service. It is likely that this change was triggered by the fear of tracking payments through the blockchain which might eventually lead to the threat actor.

**Attack vector**

As we mentioned in our initial report about this attack wave:

> “While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.”

Some victims have stated that they had SLP disabled, which was a workaround suggested by VMware for the two year old vulnerability that is the prime, but not the only, suspect in this case.

**Please**

According to CISA and the FBI, some 3800 servers have fallen victim to EXSiArgs globally.

So, either update ESXi, or probably even better, make your ESXi VMs inaccessible from the internet.

Many aspects of this attack remain unclear and when new details become known we will keep you posted.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

New ESXiArgs encryption routine outmaneuvers recovery methods

Categories: News
Tags: VMware ESXi

Tags:  Safer Internet Day

Tags:  Malwarebytes Mobile Security

Tags:  ION

Tags:  LockBit ransomware

Tags:  ransomware

Tags:  GoAnywhere

Tags:  Ryuk

Tags:  Malwarebytes Application Block

Tags:  BEC

Tags:  business email compromise

Tags:  fake Facebook

Tags:  Facebook

Tags:  Reddit breach

Tags:  Killnet

Tags:  DDoS attack

The most interesting security related news from the week of February 6 to 12.



(Read more...)




The post A week in security (February 6 - 12) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (February 6 - 12)

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data.
The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB

Ransomware / Endpoint Security

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data.

The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging.

Another notable change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information.

The threat actors "realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent," Censys said in a write-up.

"In other words: they are watching."

Statistics shared by the crowdsourced platform Ransomwhere reveal that as many as 1,252 servers have been infected by the new version of ESXiArgs as of February 9, 2023, of which 1,168 are reinfections.

Since the start of the ransomware outbreak in early February, over 3,800 unique hosts have been compromised. A majority of the infections are located in France, the U.S., Germany, Canada, the U.K., the Netherlands, Finland, Turkey, Poland, and Taiwan.

ESXiArgs, like Cheerscrypt and PrideLocker, is based on the Babuk locker, which had its source code leaked in September 2021. But a crucial aspect that differentiates it from other ransomware families is the absence of a data leak site, indicating that it's not running on a ransomware-as-a-service (RaaS) model.

"Ransoms are set at just over two bitcoins (US $47,000), and victims are given three days to pay," cybersecurity company Intel471 said.

While it was initially suspected that the intrusions involved the abuse of a two-year-old, now-patched OpenSLP bug in VMware ESXi (CVE-2021-21974), compromises have been reported in devices that have the network discovery protocol disabled.

VMware has since said that it has found no evidence to suggest that a zero-day vulnerability in its software is being used to propagate the ransomware.

This indicates that the threat actors behind the activity may be leveraging several known vulnerabilities in ESXi to their advantage, making it imperative that users move quickly to update to the latest version. The attacks have yet to be attributed to a known threat actor or group.

"Based on the ransom note, the campaign is linked to a sole threat actor or group," Arctic Wolf pointed out. "More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value."

Cybersecurity company Rapid7 said it found 18,581 internet-facing ESXi servers that are vulnerable to CVE-2021-21974, adding it further observed RansomExx2 actors opportunistically targeting susceptible ESXi servers.

"While the dollar impact of this particular breach may seem low, cyber attackers continue to plague organizations via death by a thousand cuts," Tony Lauro, director of security technology and strategy at Akamai, said.

"The ESXiArgs ransomware is a prime example of why system administrators need to implement patches quickly after they are released, as well as the lengths that attackers will go to in order to make their attacks successful. However, patching is just one line of defense to rely on."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New ESXiArgs Ransomware Variant Emerges After CISA Releases Decryptor Tool

By Deeba Ahmed
The recovery tool is available on GitHub for free.
This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help victims of ESXiArgs ransomware. It has been dubbed SXiArgs-Recover.

According to CISA, SXiArgs-Recover is an open-source tool designed to help ransomware attack victims recover virtually any VMs (VMware virtual machines) that have been impacted by the currently active attack campaign involving the use of **ESXiArgs ransomware**. CISA noted that some organizations had used this tool to recover files without paying a ransom.

Alleged ESXiArgs Ransomware ransom note

CISA has developed this **tool** entirely using publicly available resources, such as a tutorial by Enes Sonmez and Ahmet Aykac. It does the job by reconstructing VM metadata from virtual disks that the malware didn’t encrypt. In its **technical advisory**, the agency stated that,

> “Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review it to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.”
> 
> CISA

**Ransomware Attack Details**

We reported earlier that threat actors are exploiting a high-severity ESXi remote code execution vulnerability, which VMware had patched back in 2021. The vulnerability was tracked as CVE-2021-21974 and is now being used to deploy file-encrypting malware targeting VMs.

This legacy bug allows attackers to perform remote code execution on ESXi hypervisors by initiating a heap-overflow issue in OpenSLP. Cybercriminals are threatening to leak the stolen data, but there hasn’t been any leak.

**Ransomwhere** is a ransomware payment tracker, according to which the number of victims targeted in this new attack wave is 3800, and four payments have been made worth a total amount of $88,000.

**VMware’s Response**

**According to VMware**, only unpatched and out-of-date products are targeted with known vulnerabilities like this; therefore, the company advised its customers to upgrade to the latest vSphere components.

It has also recommended that users disable the OpenSLP service in ESXi. It is worth noting that the ESXiArgs malware has not yet been linked to any known ransomware group, but the malware could be derived from the **Babuk** source code leaked in 2021.

1.  **Decryptor key for Sodinokibi, REvil ransomware**
2.  **Decrypt data from Hakbit & Jigsaw ransomware**
3.  **List of Proxy IPs Exposed to Block Killnet’s DDoS Bots**

CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

The malware has affected thousands of VMware ESXi hypervisors in the last few days.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for victims of the ESXiArgs ransomware variant that affected thousands of organizations worldwide this week.

CISA's ESXiArgs-Recover tool is available for free on GitHub and organizations can use it to attempt the recovery of configuration files on vulnerable VMware ESXi servers that the ransomware variant might have encrypted. Some organizations that used the tool have successfully recovered their encrypted files without having to pay a ransom, the agency noted.

However, any cybersecurity team that plans to use the tool should first make sure they understand how it works before attempting to recover files that EXSIArgs might have encrypted, CISA cautioned. "CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is \[a\] fit," for their environments, it noted.

ESXiArgs is a ransomware variant that France's Computer Emergency Response Team (CERT) first spotted Feb. 3 targeting VMware ESXi hypervisors worldwide. The malware exploits a 2-year old — and long-patched — remote code execution vulnerability (CVE-2021-21974) in Open Service Location Protocol (OpenSLP), an ESXi service for resolving network addresses.

**What is ESXiArgs?**

ESXiArgs has already infected more than 3,000 unpatched servers in the US, Canada, and multiple other countries. Victims have reported receiving a ransom demand of around 2 Bitcoin (or around $22,800 at press time) for the decryption key. Affected organizations have also reported the threat actor behind the campaign warning them to pay up within three days or risk having their sensitive information released publicly.

Security researchers that have analyzed ESXiArgs describe the malware's encryption process as specifically targeting virtual machine files so as to render the system unusable. In an alert earlier this week, Rapid 7 reported the malware was trying to shut down virtual machines by killing a specific process in the virtual machine kernel that handles I/O commands. In some cases, though, the malware was only partially successful in encrypting files and gave victims a chance to recover data, according to Rapid7.

In a Feb. 8 update, Rapid7 said its threat intelligence shows that multiple ransomware groups, in addition to the operator of ESXiArg, are targeting CVE-2021-21974 and other VMware ESXi vulnerabilities.

**Recovery Tool Based on Published Information**

CISA's recovery script is based on the work of two security researchers — Enes Sonmez and Ahmet Aykac — who showed how victims of ESXiArgs could reconstruct virtual machine metadata from disks that the ransomware might have failed to encrypt.

"This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs," CISA said. "While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit."

VMware itself has urged organizations to implement the patch it issued two years ago for the flaw that ESXiArgs is exploiting. As a temporary measure, organizations that have not patched the flaw should disable ESXi's service location protocol (SLP) to mitigate the risk of attack via ESXiArgs, VMware said. Another measure: Disable port 427 (the one SLP uses), where possible, Singapore's SingCERT advised in a notice.

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

By Deeba Ahmed
The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks.
This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has refuted claims that two-year-old vulnerabilities have been exploited in the ongoing ESXiArgs ransomware attacks.

Over the weekend, reports emerged about cybercriminals exploiting a two-year-old vulnerability in virtualization services provider VMware in a ransomware campaign. French CERT (Computer Emergency Response Team) **said** the campaign has been active since February 3rd, 2023.

Moreover, Italy’s ACN (National Cybersecurity Agency) **issued** a warning about a large-scale ransomware campaign. The agency noted that attackers were aiming to target thousands of organizations across Europe and North America.

It was also reported that VMware’s ESXi servers were vulnerable, as these had not been patched against a remotely exploitable flaw discovered in 2021. Attackers compromised the server and added a ransomware variant called ESXiArgs.

For your information, ESXi is VMware’s hypervisor technology, which allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server.

The vulnerability is tracked as **CVE-2021-21974** and assigned a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. A fix for it was released on February 23, 2021, by VMware.

However, on Monday, VMware denied the news and stated they could not find any evidence that threat actors were trying to leverage a zero-day in its software in a worldwide active ransomware campaign.

“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” said Edward Hawkins, the High-Profile Product Incident Response Manager at VMware in a **blog post**.

The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Furthermore, the company recommends disabling the OpenSLP service in ESXi. It is worth noting that the service was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021.

According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, whereas one instance of malicious exploitation of the issue was reported in the Netherlands.

The intrusion involved exploiting the already-susceptible ESXi servers, which were exposed to the internet on the OpenSLP port 427. The victims were asked to pay 2.01 Bitcoin or $45,990 in exchange for the encryption key for file recovery. But so far, there are no reports of data exfiltration.

The alleged ESXiArgs ransomware (Source: DarkFeed)

The U.S. CISA is investigating the ESXiArgs campaign. According to the agency’s spokesperson, they have collaborated with private and public sector partners to analyze the impact of the reported incidents and offer assistance where required.

“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” they added.

1.  **Shipping Software Hit by Ransomware Attack**
2.  **Royal Ransomware Spreading Through Google Ads**
3.  **COVID-19 Tracking App Drops Punisher Ransomware**
4.  **Ransomware Gang Leaks Medibank Data on Dark Web**
5.  **US Charges Iranian Hackers Over Ransomware Attacks**

VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

For the moment, victims can decrypt data without paying a ransom. But Clop is a ransomware variant that has caused havoc on Windows systems, so that's bound to change.

A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.

The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.

**Faulty Encryption**

Researchers from SentinelOne's SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.

SentinelOne's analysis showed Clop's Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows' versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.

Significantly, SentinelOne's researchers found the encryption logic in the Linux variant to be flawed. "The issue boils down to a couple of key differences between the Windows and Linux variants," says Antonis Terefos, threat intelligence researcher at SentinelOne.

The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. "The flaw allows for the simple extraction or discovery of what the RC4 'master key' is for a given sample," he notes, adding that SentinelOne has released a free decryptor for the variant.

The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.

**Other Differences Between Windows & Linux Clop Versions**

SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: "Therefore, there is no need to 'exclude' unwanted locations."

The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.

**Mounting Attacker Interest in Linux Malware**

Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, "we are seeing many more ransomware groups targeting Linux systems."

The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.

Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore. 

"Linux and cloud devices offer a rich pool of potential victims," Terefos says. "In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks."

The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. "We've seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups."

Fresh, Buggy Clop Ransomware Variant Targets Linux Systems

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

**Unpatched Systems Again in the Crosshairs**

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable**.**

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

**Virtualization Is Inherently a Risk**

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

**How to Protect VMware Systems When You Can't Patch**

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS2) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

**LOS ALTOS, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Contrast Security (Contrast), the code security platform built for developers and trusted by security, today released its Cyber Bank Heists report, an annual report that exposes the cybersecurity threats facing the financial sector.

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the report is a warning to global financial institutions (FIs) that security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Financial sector security leaders from around the world - in a series of interviews - revealed specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Some of the most eye-opening results from the report include:

*   60% were victimized by destructive attacks
*   64% saw an increase in application attacks, while 50% experienced attacks against their APIs
*   48% experienced an increase in wire transfer fraud
*   50% have detected campaigns to steal non-public market information
*   54% of the banks were most concerned with the cyber threat posed by Russia
*   72% plan to invest more in application security in 2023

"The increase of online threats, phishing, ransomware attacks, account takeovers and business email compromises impacting the financial sector is growing every day and we can see in real-time the damage this is doing to the longevity of businesses and the impact it's having on our economy," said Derek Booth, Assistant to the Special-Agent-in-Charge, U.S. Secret Service and Head of the Mountain West Cyber Fraud Task Force. "I applaud Tom Kellermann for speaking with some of the most influential people within the sector to determine solutions that can better protect FIs against vulnerabilities in banks and methods of commerce through industry-wide transparency."

"The complexity of securing financial digital systems and the need to develop new ways to guard against sophisticated cyberattacks has increased exponentially in the last year. In response, FIs are fighting to evolve and create more effective prevention, detection and response to these damaging attacks," said Booth.

"Cybersecurity can no longer be viewed as an expense but rather a functionality of conducting business. Trust and confidence in the safety of FIs depend on effectively mitigating and responding to cyberattacks," said Kellermann.

The report provides helpful guidance, and specific defensive countermeasures to defend against growing cybercrime conspiracies and cyberespionage including:

1.  Deploy intelligent runtime protection
2.  Conduct weekly threat hunting
3.  Deploy AppSec for serverless platforms
4.  Defend your APIs
5.  Add a cybersecurity specialist to your board

"The financial sector needs to shift its thinking when it comes to attacks, as geo-political tensions manifest via cyberattacks. Cybercrime cartels are modernizing their criminal conspiracies so as to steal non-market information and destroy the integrity of sensitive data within financial institutions," said Kellermann. "This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of customers. That is why the Cyber Bank Heists report not only highlights these trends but depicts countermeasures that can help institutions defend from within."

Booth will be joining Kellermann for a LinkedIn Live roundtable discussion at 9:00am PST on Tuesday, February 7 and a live webinar at 9:00am PST on Thursday, February 23 to discuss their reactions to the report and the financial security risks impacting organizations this year. Contrast also published a three-part blog series that dives deeper into cyberattack trends, e-fraud, and defensive shifts. 

To download the Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport. FIs can also request a demo of Contrast's financial capabilities by visiting https://www.contrastsecurity.com/solutions/financial-services. 

**About Cyber Bank Heists report:** 

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the annual Cyber Bank Heist report includes findings from interviews conducted with global financial sector leaders focusing on the current state of security threats and the defensive shifts made by cybercriminals. The report provides an analysis of geopolitical tensions, destructive attacks and zero-day exploits from the previous year. It also offers specific defensive countermeasures that should be employed by FIs to protect against growing cybercrime conspiracies and cyberespionage. To learn more about the annual Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport.

**About the Author Tom Kellermann:** 

Tom Kellermann is the Senior Vice President of Cyber Strategy at Contrast Security, Inc. Previously, Tom held the positions of Head of Cybersecurity Strategy for VMware, Inc. and Chief Cybersecurity Officer for Carbon Black, Inc., wherein he authored the "Modern Bank Heist report" for the past five years. In 2020, he was appointed to the Cyber Investigation Advisory Board for the United States Secret Service. On Jan. 19, 2017, Tom was appointed the Wilson Center's Global Fellow for Cybersecurity Policy. Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro, Inc., Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008, Tom was appointed a commissioner on the Center for Strategic & International Studies' (CSIS') Commission on Cyber Security for the 44th President of the United States. In 2003, he co-authored the Book "Electronic Safety and Soundness: Securing Finance in a New Age."

**About Contrast Security (Contrast):**

A world leading code security platform company purposely built for developers to get secure code moving swiftly and trusted by security teams to protect business applications. Developers, security and operations teams quickly secure code across the complete software development life cycle (SDLC) with Contrast to protect against today's targeted application security (AppSec) attacks. Contrast also makes security testing available to all developers for free with CodeSec.

Founded in 2014 by cybersecurity industry veterans, Contrast was established to replace legacy AppSec solutions that cannot protect modern enterprises. With today's pressures to develop business applications at increasingly rapid paces, the Contrast Secure Code Platform defends and protects against full classes of common vulnerabilities and exposures (CVEs). This allows security teams to avoid spending time on focusing false positives and remediate true vulnerabilities faster. Contrast's platform solutions for code assessment, testing, protection, serverless, supply chain, APIs and languages help enterprises achieve true DevSecOps transformation and compliance.

Contrast protects against major cybersecurity attacks for its customer base which represents some of the largest brand-name companies in the world, including BMW, AXA, Zurich, NTT, SOMPO Japan and American Red Cross, as well as numerous other leading global Fortune 500 enterprises. Contrast partners with global organizations such as AWS, Microsoft, IBM Cloud, Guidepoint Security, Trace3, Deloitte and Carahsoft, to seamlessly integrate and achieve the highest level of security for customers.

The growing demand for the world's only platform for code security has landed the company on some of the most prestigious lists including the Inc. 5000 List of America's Fastest Growing Companies and has designated Contrast as one of the fastest growing companies on the Deloitte Technology Fast 500 List.

Tag

#vmware