VMware ESXi servers have been targeted by a new ransomware called ESXiArgs. The attackers are exploiting a two-year-old vulnerability, CVE-2021-21974, in the OpenSLP service. The vulnerability is caused by a heap overflow issue and can be exploited by unauthenticated actors. ESXi servers in versions 6.x and prior to 6.7 are the current target. VMware confirmed that this attack exploits older ESXi flaws and not a zero-day vulnerability.
The French Computer Emergency Response Team (CERT-FR) recommends applying the patch and disabling the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't been updated.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
It is also advised to scan unpatched systems for signs of compromise.
According to a Censys search, 2,400 VMware ESXi devices worldwide are currently detected as compromised. The ransomware encrypts files with .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions and creates .args files for each encrypted document.
BleepingComputer shared the technical details for the attack. In case you have been attacked, security researcher Enes Sonmez enes_dev has shared a VMware ESXi recovery guide, allowing many admins to rebuild their virtual machines and recover their data for free.
Validate if you are affected
Quickly install our open source tool cnspec:
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
Verify that slpd is not running
We quickly connect to the ESXi via vSphere API and select the ESXi server:
cnspec shell vsphere user@domain.local@vsphere-ip --ask-pass
To verify, we simply enter the following MQL query:
vsphere.host.services.none(key == "slpd" && running == true)
Validate that all patches have been installed
To get access to the vulnerability database quickly login to the Mondoo Platform. Then use cnspec to quickly assess the missing patched for your ESXi Server:
cnspec vuln vsphere user@domain.local@vsphere-ip --ask-pass
Continuously assess VMware vCenter Server
The Mondoo Platform has full coverage for vCenter Server via the deployment in Minutes with our vCenter appliance, vCenter and ESXi Vulnerability Management as well as CIS VMware ESXi 7.0 Benchmark.
Don't let ESXiArgs ransomware attack your VMware ESXi servers! Take proactive measures and secure your systems with the power of Mondoo. Sign up for a free account today to easily validate your systems and continuously assess vulnerabilities with the latest security updates. Or book a demo with us to see how Mondoo can revolutionize your cybersecurity strategy. Don't wait until it's too late, protect your systems now with Mondoo.
