By Caique Barqueta: Thousands of servers around the world are being hit by a large-scale hacker attack that demands Bitcoin for ransom.
Countries such as Italy, France, Finland, the United States and Canada are under attack. In France, for example, the cybersecurity agency has already warned the country's organizations to take precautionary measures.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has already stated that it will take measures to assess the impact of the incidents, working in partnership with public and private sector entities.
These warnings are about a massive ESXiArgsransomware attack. The focus of this ransomware was on VMware ESXi servers unpatched against a remote code execution vulnerability, already published more than 2 years ago.
The vulnerabilities have been tracked as CVE-2021-21974 and CVE-2020-3992, which cause a security flaw caused by a heap overflow problem in the OpenSLP service. On port 427 on an ESXi machine, a "use-after-free" can be added to the OpenSLP service, causing remote code execution.
According to the CERT-BR publication, "according to current investigations, these attack campaigns appear to be exploiting the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021".
To block incoming attacks, administrators need to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that have not yet been updated.
CVE-2021-21974 affects the following systems and versions:
ESXi 7.x versions prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670-202102401-SG
ESXi 6.5.x versions prior to ESXi650-202102101-SG
According to research carried out with Censys, 2,453 assets have already been compromised by the ransomware. Of these, 1,213 assets have been compromised in France alone.
In another survey, it was possible to verify other statistics, with approximately 850 compromised assets, and in Brazil, so far, no server has been a victim.
It is of the utmost importance that administrators and organizations that have the target versions of this ransomware activate security measures, such as using a firewall and continuous monitoring.
Finally, according to the survey on the number of VMware ESXi servers available on the Internet, as well as their versions, it was possible to verify that there are a total of 84,236 servers and, in Brazil alone, there are 7,716 servers.
Ransomware analysis and technical details
In addition to the alert, it was possible to obtain details of a sample of the ESXiArgs Ransomware: this variant targets files with the extensions .vmxf, .vmx, .vmdk, .vmsd and.nvram on compromised ESXi servers and ends up creating a "file.args" for each encrypted document with metadata.
After the compromise, ransom notes called " ransom .html" and "How to Restore Your Files.html" are created on the target systems, displaying the following screen when accessing the server:
On February 5th, a network administrator managed to recover a copy of the ESXiArgsransomware and the associated shell script. By analyzing the script and the malicious payload, it was possible to identify how the attack takes place.
Post-rape
When the server is breached, the following files are stored in the /tmp folder:
- Encrypt: The ELF executable of the ransomware;
- Encrypt.sh: A shell script that acts on the attack logic, performing various tasks before executing the malicious payload;
- Public.perm: A public RSA key used to encrypt the key that encrypts a file;
- Motd: The ransom note in text form that will be copied to /etc/motd to be displayed on the login screen. The original server file will be copied to /etc/motd1.
- Index.html: The ransom note in HTML format that will replace the VMware ESXi home page. The original server file will be copied to index1.html in the same folder.
The ESXIArgs variant is probably based on the leaked Babuk Ransomware source code, previously used by other ESXi Ransomware campaigns.
The ransomware is executed by a shell script file that starts with various command line arguments, including the RSA public key file, the file to encrypt, the blocks of data that will not be encrypted, the size of an encryption block and the size of the file.
usage: encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>] [<file_size>]
enc_step - number of MB to skip while encryption
enc_size - number of MB in encryption block
file_size - file size in bytes (for sparse files)
This ransomware payload is initiated using the "encrypt.sh" shell script that acts out the logic behind the attack, described below:
When started, the script will execute the following command to modify the ESXi virtual machine configuration files (.vmx) so that the strings ".vmdk and .vswp" are changed to "1.vmdk" and "1.vswp".
The script then terminates all running virtual machines, forcibly shutting them down with the command "kill -9)" with all processes that have the string "vmx".
The script will then use "escli storage filesystem list | grep "/vmfs/volumes" | awk -F' ' '{print $2} " to get a list of ESXi volumes.
It will search these volumes for files with the following extensions:
- .vmdk
- .vmx
- .vmxf
- .vmsn
- .vswp
- .vmss
- .nvram
- .vmem
For each file found, the script will create a [file].args file in the same folder, which contains the calculated size step, '1' and the size of the file.
For example, server.vmx will have an associated server.vmx.args file.
The script will use the "encrypt" executable executable to encrypt the files based on the calculated parameters, as shown below:
After encryption, the script will replace the ESXi infex.html file and the server's motd file with the redemption notes.
The script then performs the cleanup, removing what appears to be a backdoors installed in /store/packages/vmtools.py and deleting several lines from the following files:
/var/spool/cron/crontabs/root
/bin/hostd-probe.sh
/etc/vmware/rhttpproxy/endpoints.conf
/etc/rc.local.d/local.sh
Finally, the script runs /sbin/auto-backup.sh to update the configuration and saves it in the /bootbank/state.tgz file and starts SSH.
Recovery and Mitigation
For companies that have fallen victim to this ransomware, security researchers Enes and Ebuzeyd, have published a guide to decrypting the .vmdk file affected by the CVE-2020-3992 attack.
In addition to this measure, administrators will be able to add the indicators of compromise related to backdoors mentioned in the alert to identify possible attacks.
Finally, we share the recommendations and security measures to be applied to companies in order to prevent and identify ransomware attacks.
- Regular backups: Store backup copies of all important data in a secure, disconnected location;
- Performing software updates: Keep all asset software up to date, including operating systems and applications.
- Use of network protection, such as firewalls, antivirus and other security measures to protect your network.
- Awareness-raising work with employees, teaching them how to recognize and avoid threats such as phishing and/or clicking on malicious links.
- Regular monitoring of your network and systems to identify and respond quickly to any suspicious activity.
- Creation and application of an incident response plan, which in the case of ransomware attacks can be used and will contain information such as issues related to backups and system recovery.
Commitment Indicators
ISH Tecnologia handles a number of Indicators of Compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report.
| Python backdoor - VMware ESXi servers | |
| md5: | c358fe0e8837cc577315fc38892b937d |
| sha1: | 5e5c89147d248e16d24d673a1f77589c892db6f6 |
| sha256: | 773d147a031d8ef06ee8ec20b614a4fd9733668efeb2b05aa03e36baaf082878 |
| File name: | Vmtools.py |
| Python backdoor - VMware ESXi servers | |
| md5: | f79cd574296a6783d34845c0fd75bd33 |
| sha1: | 56695beccc5593851fd0aed88312a6247ff4aa39 |
| sha256: | ceeb337778efe3c62a4ce04d750f60e773133dc7c99b661a5040e35afa16f426 |
| File name: | Loca.sh |
| Ransomware ESXiArgs malicious payload | |
| md5: | 87b010bc90cd7dd776fb42ea5b3f85d3 |
| sha1: | f25846f8cda8b0460e1db02ba6d3836ad3721f62 |
| sha256: | 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66 |
| File name: | encrypt |