Reminder: If your utility has any unpatched VMware ESXi servers online, you are encouraged to isolate them immediately and address accordingly.
While the targeting continues, so does the cat-and-mouse game. As authorities and cybersecurity firms are aiding organizations in remediating and recovering, threat actors are improving their initially poor code, thus making data recovery much more difficult. Additionally, according to reports based on Shodan and other open source data, the threat actors appear to be reinfecting hosts with the updated code to encrypt more files than the initial infection was able to. Likewise, while CISA and the FBI have published Alert (AA23-039A) ESXiArgs Ransomware Virtual Machine Recovery Guidance which includes a recovery script ESXiArgs-Recover (hosted on GitHub), at the time of this writing it is believed the script may not likely fully restore encrypted files. Visit BleepingComputer for more.
We can’t stress enough that if your utility has any unpatched VMware ESXi servers online, you are encouraged to isolate them immediately and address accordingly. System administrators are encouraged to address promptly – specifically, update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online.
If you have exposed ESXi servers in an environment (e.g., OT network) where it is not practical to update or upgrade due to various business constraints that may, for example, void support contracts, please coordinate an appropriate response with relevant OEMs and/or system integrators.
WaterISAC will continue to track this developing campaign and provide relevant updates as appropriate. Members are encouraged to report any suspicious activity relevant to this report to WaterISAC by emailing [email protected], calling 866-H2O-ISAC, or using the online incident reporting form. Also, incidents may be reported to CISA at cisa.gov/report, FBI at a local FBI Field Office, or the U.S. Secret Service (USSS) at a USSS Field Office.
Additional Resources
- ESXiArgs: What you need to know and how to protect your data (TrustedSec)
- ESXiArgs: The code behind the ransomware (TrustedSec)
- An Analysis of the VMware ESXi Ransomware Blitz (Intel471)
- Exploit Vector Analysis of Emerging ‘ESXiArgs’ Ransomware (GreyNoise)
- ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware (SecurityWeek)
- Using VMWare? Worried about “ESXi ransomware”? Check your patches now! (Sophos)
February 7, 2023
Action strongly recommended if your utility has unpatched VMware ESXi servers online. System administrators are encouraged to address promptly.
If your utility has any unpatched VMware ESXi servers online, you are encouraged to take them offline immediately and address accordingly.
On Saturday morning, WaterISAC distributed an advisory via email to members regarding widespread reporting that Friday afternoon attackers began actively targeting unpatched VMware ESXi servers with a two-year-old remote code execution vulnerability to deploy ransomware. The vulnerability is tracked as CVE-2021-21974.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
There is a widespread “ESXiArgs” ransomware attack targeting unpatched ESXi servers. Initially, there was speculation that the attacks were attributed to Nevada ransomware - as the group has also been exploiting ESXi, but since then it has been determined that "ESXiArgs" is a new ransomware variant.
According to original reporting by Bleeping Computer, “admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. ‘As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,’ CERT-FR said.
This is a developing series of attacks. Members are encouraged to report any suspicious activity relevant to this report to WaterISAC. Likewise, according to SC Media, CISA is working with its public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed. Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the online incident reporting form.
Additional Resources