Fixed vulnerability of 2021 is actively used in attacks on VMware ESXI servers

French response group to computer emergency situations (CERT-FR) cve-2021-21974 ( CVSS: 8.8) can be used by a hacker that has not passed authenticity. It is worth noting that the correction of the error was released in February 2021.

In order to block incoming attacks, administrators must disable the vulnerable protocol for determining the location of the service (SLP) on ESXI hypervisors, which have not yet been updated. Cert-FR added that not updated systems should also scan for the presence of signs of compromise.

CVE-2021-21974 affects the following systems:

  • ESXI version 7.X to ESXI70U1C-173255551;
  • version 6.7.X to ESXI670-202102401-SG;
  • ESXI version 6.5.x to ESXI650-202102101-SG .

According to Censys, about 3200 VMware ESXI servers around the world were compromised during the ESXIARGS program campaign. This malware encrypts files with extensions “.VMXF”, “.VMX”, “.VMDK”, “.VMSD” and “.NVRAM” on compromised ESXI servers and creates a file “.args” for each encrypted document with metadators (probably necessary for decoding).

In infected ESXIARGS systems, it leaves a note demanding a ransom called “Ransom.html” and “How to Restore Your Files.html” in format. “.txt”.

Brushing note ESXIARGS

Michael Gillespi from ID Ransomware analyzed the encryption and said that encrypted files cannot be decrypted. For encryption, ESXIARGS generates 32 bytes using a protected pseudo -liable number generator (CPRNG), and then this key is used to encrypt a file using Sosemanuk, a safe stream cipher. The file key is encrypted using RSA and added to the end of the file.

The use of Sosemanuk algorithm indicates that Esxiargs is probably based on the leak of the Babuk source code, which was previously used in other campaigns against ESXI, such as Cheerscrypt.

Earlier, Cybersecurity researcher Will Thomas from the Equinix (ETAC) threat analysis center found that the new version of the Royal Ransomware program added Linux encryption support for VMware ESXI virtual machines.

For the injured, the security researcher Enes Sonmes created the leadership , which will help administrators reconfigure their virtual machines and restore data for free. And the specialists of the BleepingComputer publication launched

/Media reports cited above.