Get in Touch
Ransomware attacks exploiting VMware vulnerability to target ESXi servers
Update 21st February 2023 at 14:25 UTC
Overview
A vSphere ESXi update has been released by VMware to address a known issue on Windows Server 2022 virtual machines that prevented them from booting up after installing the KB5022842 update. VMware reported that the issue is caused by UEFI Secure Boot rejecting a new form of digital signature on the EFI bootloader.
Updated Affected Products
Microsoft Server 2022 virtual machines with ‘Secure Boot’ enabled and operating with the following versions affected by this issue:
– vSphere ESXi 6.7 U2/U3
– vSphere ESXi 7.0.x.
Updated Containment, Mitigations & Remediations
An additional patch has been released for this virtual machine flaw. It is strongly recommended that the ‘ESXi 7.0 Update 3K’ is applied to resolve the issue. This will allow administrators to restart virtual machines that will no longer boot following the initial update.
VMware has reported that:
“After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required.”
Moreover, VMware has provided administrators with the following set of temporary workarounds that should be implemented in the event that the latest update cannot be immediately applied:
– Upgrade the ESXi Host where the virtual machine in question is running vSphere ESXi 8.0
– Disable ‘Secure Boot’ on the virtual machines
– Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.
Additionally, the Secure Boot option can be disabled for each virtual machine by following the steps below:
– Power off the virtual machine
– Right-click the virtual machine and select ‘Edit Settings’
– Select the ‘VM Options’ tab
– Under Boot Option, uncheck the ‘Secure Boot enabled’.
It should be noted that if the KB5022842 Windows Server 2022 cumulative update has already been installed, uninstalling it will not resolve the issue. In such a case, to ensure that the virtual machine can boot again, the ESXi host must be updated to vSphere ESXi 8.0, or ‘Secure Boot’ must be disabled.
Further details can be found on the VMware documentation page.
Updated Further Information
Update 16th February 2023 at 22:34 PM UTC
Overview
A modified variant of the recently discovered ESXiArgs malware has been detected one week after the Cybersecurity and Infrastructure Security Agency (CISA) released a recovery script to combat the ransomware strain.
Updated Vulnerability Detection
Victims of an ESXiArgs ransomware attack can detect if they have been infected with the new variant when the ransom note directs the victim to contact the threat actor via the TOX encrypted messenger platform. The ransom note from the previous ESXiArgs variant that was mitigated by the CISA-issued decryptor script included a Bitcoin address.
Updated Affected Products
There have been no newly reported affected product versions. However, CISA and the FBI have stated that there are now approximately 3,800 servers that have been victimised by the ransomware at the time of this update.
Updated Containment, Mitigations & Remediations
ESXi users are still strongly recommended to upgrade to the latest version of ESXi to mitigate potential threats as well as restrict access to the OpenSLP service to trusted IP addresses. The relevant updates have been outlined below:
– ESXi versions: ESXi650-202102101-SG, ESXi670-202102401-SG and ESXi70U1c-17325551
– ESXi Cloud Formation Suite versions: KB82705 and 4.2
The patch file for the relevant VMware versions can be downloaded through the VMware advisory page.
Updated Further Information
13 February 2023
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Severity Level – High (CVSSv3 base score of 8.8.): Compromise may result in the loss of confidentiality and integrity of data.
VMware ESXi hypervisors have been targeted through a campaign of cyber-attacks designed to deploy ransomware on compromised systems, a ransomware strain that is being tracked under the name ‘ESXiArgs’.
The vulnerability is being tracked as CVE-2021-21974. The VMware vendor also provided a further technical update on the security issued, in which they related it to an ‘OpenSLP heap-overflow’ vulnerability that could potentially result in arbitrary code execution. They further declared in the advisory that:
“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.”
Just prior to the time of writing, OVHcloud emphasised that there was no evidence linking the intrusions to the recently emerging Nevada ransomware due to a lack of resemblance within the associated ransom note. The ransomware is, however, still indicative of a Rust-based strain, a locker that has been confirmed to have been utilised by the following ransomware groups: BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda.
Italy’s National Cybersecurity Agency (ACN) stated that the affected countries were France and Finland as well as the United States and Canada.
Coinciding with these attacks, a new variant of the Royal ransomware strain has also emerged, whilst specifically targeting VMware ESXi virtual machines. Royal is a ransomware that has been affiliated with the threat actor group Dev-0569, that typically applies spear phishing and malvertising techniques to infect victims with their chosen malware.
Impact
OpenSLP as used in ESXi systems (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) contains a heap-overflow vulnerability. A malicious actor residing within the same network segment as the ESXi systems, who has access to port 427, may be able to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution.
With regards to the Royal ransomware, after deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers. Successful exploitation by the Royal ransomware strain will result in the encryption and exfiltration of significant quantities of data contained on target systems. The ransom fee demanded will almost certainly depend on the estimated value of the compromised organisation.
Vulnerability Detection
VMware has patched the vulnerabilities for the respective product versions. As such, previous versions are vulnerable to the potential exploits.
With regards to the Royal ransomware strain, a comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide effective protection against ransomware threats such as Royal. EDRs can alert system users of potential breaches and end the malware process during early signs of an attack attempt, therefore limiting the scope of damage.
If an EDR solution is not being used, the first instance of detection is likely to be the ransom note. The note will be labelled as:
– README.TXT
Furthermore, all files held on the system will contain a new file extension:
– .royal
Affected Products
– ESXi versions: 6.5, 6.7 and 7.0
– ESXi Cloud Formation Suite versions: 3.x and 4.x
Containment, Mitigations & Remediations
Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats as well as restrict access to the OpenSLP service to trusted IP addresses. Two relevant updates have been outlined below:
– ESXi verisons: ESXi650-202102101-SG, ESXi670-202102401-SG and ESXi70U1c-17325551
– ESXi Cloud Formation Suite versions: KB82705 and 4.2
The patch file for the relevant VMware versions can be downloaded through the VMware advisory page.
Indicators of Compromise
Miscellaneous IOCs:
– Encryption uses a public key deployed by the malware in ‘/tmp/public.pem’
– The encryption process specifically targets virtual machines files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, *.vmem)
– The malware attempts to shut down virtual machines by killing the VMX process to unlock the file
– The malware creates an ‘argsfile’ to store arguments passed to the encryption binary
Associated Royal SHA-256 file hashes:
– 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
– 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
– f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
Associated Royal IP addresses:
– 35[.]242[.]251[.]130
– 151[.]101[.]193[.]84
– 34[.]69[.]19[.]223
– 209[.]17[.]116[.]165
– 95[.]101[.]200[.]75
– 192[.]124[.]249[.]112
– 89[.]110[.]177[.]66
– 81[.]95[.]112[.]214
Associated Royal domains:
– cornwelltools.com
– fvsra.org
– imacorp.com
– scottindustrialsystems.com
– apmterminals.com
– cristalcontrols.com
– rhein-pfalz-kreis.de
– zwijndrecht.be
Encrypted files are a ‘.royal’ file extension.
Threat Landscape
VMware possesses approximately 52.4% of the virtualisation market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to spend their time on. As a result, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive data contained therein.
Royal represents the continuous evolution and introduction of new ransomware variants to the online threat landscape. Malvertising is especially dangerous as online shoppers are more susceptible to clicking on the wrong advert as they seek money-saving deals. Online adverts labelled as legitimate Google advertisements are highly likely to deceive even those who are aware of this tactic and trained in spotting the signs of such deception. This therefore makes the campaign sophisticated. The ransomware group’s shift towards targeting ESXi virtual machines aligns with a trend where enterprises have transitioned to VMs as they come with improved device management and much more efficient resource handling.
Threat Group
No specific threat actor group has been declared to have been responsible for the generalised spread of ransomware attacks on the ESXi systems. However, it is not uncommon for threat actors to target VMware appliances in their attacks, meaning that it is essential that the recommended patches are applied as soon as possible.
In terms of the Royal ransomware, Dev-0569 is an experienced threat group that has conducted a significant number of previous attacks. The group has experience using multiple variants of ransomware including BlackCat, ZEON and, most recently, Royal. The continued deployment of ransomware suggests that the motivation is highly likely to be that of financial gain.
Mitre Methodologies
Royal ransomware Mitre methodologies:
Initial Access:
T1189 – Drive-by Compromise
T1566 – Phishing
Collection:
T1005 – Data from Local System
Persistence:
T1098 – Account Manipulation
Impact:
T1489) – Service Stop
T1490 – Inhibit System Recovery
Further Information
Hacker news article
CVE Mitre report
VMware advisory
Reuters article
Register report
