RSM Defense Intelligence has observed open-source reporting, as well as notifications from CISA(JCSA_AA23-039A), which indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. Vulnerabilities utilized by the malicious actors include CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8). The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied, as the the current version of VMware ESXI is 8.0.0.
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script, that CISA has provided, automates a process of recreating configuration files post ransomware infection and deployment. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem. During the process of writing this report, a BleepingComputer online article stated that newly found versions of ESXIArgs ransomware has been found to prevent the vmware esxi recovery script. BleepingComputer still recommends attempting to recover encrypted ESXi servers using CISA’s recovery script.
RSM Defense recommends to apply the latest VMware updates or to remove the vulnerable ESXI servers off of the public facing internet. According to Shodan.io, the most public facing VMware ESXI servers are version 6.7.0, which can be assessed as the most targeted by the ransomware group. Additional vulnerabilities were located on VMware ESXI, RSM Defense intelligence analyst recommends to scan environment for potential of unrealized exposure due to legacy vulnerabilities.
(Source: Shodan.io)
Ransomware Mapped to Mitre Attack Framework:
T1003 – OS Credential Dumping
T1012 – Query Registry
T1016 – System Network Configuration Discovery
T1018 – Remote System Discovery
T1021 – Remote Services
T1027 – Obfuscated Files or Information
T1033 – System Owner/User Discovery
T1036 – Masquerading
T1037 – Boot or Logon Initialization Scripts
T1041 – Exfiltration Over C2 Channel
T1047 – Windows Management Instrumentation
T1049 – System Network Connections Discovery
T1053 – Scheduled Task/Job
T1055 – Process Injection
T1057 – Process Discovery
T1059 – Command and Scripting Interpreter
T1064 – Scripting
T1070 – Indicator Removal on Host
T1071 – Application Layer Protocol
T1074 – Data Staged
T1078 – Valid Accounts
T1082 – System Information Discovery
T1083 – File and Directory Discovery
T1087 – Account Discovery
T1090 – Proxy
T1095 – Non-Application Layer Protocol
T1105 – Ingress Tool Transfer
T1106 – Native API
T1110 – Brute Force
T1114 – Email Collection
T1119 – Automated Collection
T1120 – Peripheral Device Discovery
T1136 – Create Account
T1140 – Deobfuscate/Decode Files or Information
T1190 – Exploit Public-Facing Application
T1204 – User Execution
T1218 – Signed Binary Proxy Execution
T1222 – File and Directory Permissions Modification
T1486 – Data Encrypted for Impact
T1505 – Server Software Component
T1518 – Software Discovery
T1543 – Create or Modify System Process
T1547 – Boot or Logon Autostart Execution
T1553 – Subvert Trust Controls
T1556 – Modify Authentication Process
T1560 – Archive Collected Data
T1564 – Hide Artifacts
T1566 – Phishing
T1569 – System Services
T1573 – Encrypted Channel
T1574 – Hijack Execution Flow
T1587 – Develop Capabilities
Indicators of Compromise (some sources include YARA rules)
https://otx.alienvault.com/pulse/63e605c7bb637ae4dc282792
https://otx.alienvault.com/pulse/63e6047ce87a8e8451fc21f8
https://otx.alienvault.com/pulse/63e58c93c79f2a8b18243438
https://otx.alienvault.com/pulse/63e4d6f43ee1a41157b23c86
https://otx.alienvault.com/pulse/63e2548538e4ff157585c0ad
https://otx.alienvault.com/pulse/63e327b9c75edf3f504ebcda
https://otx.alienvault.com/pulse/63e320648d3ca9e0ca28c956
https://otx.alienvault.com/pulse/63e256288848883696ec6302
https://otx.alienvault.com/pulse/63e229ba9d4b8ce533514666
https://otx.alienvault.com/pulse/63e11aab3f17cdd6d4674e4b
https://otx.alienvault.com/pulse/63e9fbbb687c6d647850f8fe