• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Defense > RSM Defense > Intel Insights – VMWare ESXi and ESXiArgs Ransomware

Intel Insights – VMWare ESXi and ESXiArgs Ransomware

February 13, 2023 By Joel Belton

RSM Defense Intelligence has observed open-source reporting, as well as notifications from CISA(JCSA_AA23-039A),  which indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. Vulnerabilities utilized by the malicious actors include CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8). The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied, as the the current version of VMware ESXI is 8.0.0.
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script, that CISA has provided, automates a process of recreating configuration files post ransomware infection and deployment. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem. During the process of writing this report, a BleepingComputer online article stated that newly found versions of ESXIArgs ransomware has been found to prevent the vmware esxi recovery script. BleepingComputer still recommends attempting to recover encrypted ESXi servers using CISA’s recovery script. 
RSM Defense recommends to apply the latest VMware updates or to remove the vulnerable ESXI servers off of the public facing internet. According to Shodan.io, the most public facing VMware ESXI servers are version 6.7.0, which can be assessed as the most targeted by the ransomware group. Additional vulnerabilities were located on VMware ESXI, RSM Defense intelligence analyst recommends to scan environment for potential of unrealized exposure due to legacy vulnerabilities.

(Source: Shodan.io)

 

Ransomware Mapped to Mitre Attack Framework:

T1003 – OS Credential Dumping

T1012 – Query Registry

T1016 – System Network Configuration Discovery

T1018 – Remote System Discovery

T1021 – Remote Services

T1027 – Obfuscated Files or Information

T1033 – System Owner/User Discovery

T1036 – Masquerading

T1037 – Boot or Logon Initialization Scripts

T1041 – Exfiltration Over C2 Channel

T1047 – Windows Management Instrumentation

T1049 – System Network Connections Discovery

T1053 – Scheduled Task/Job

T1055 – Process Injection

T1057 – Process Discovery

T1059 – Command and Scripting Interpreter

T1064 – Scripting

T1070 – Indicator Removal on Host

T1071 – Application Layer Protocol

T1074 – Data Staged

T1078 – Valid Accounts

T1082 – System Information Discovery

T1083 – File and Directory Discovery

T1087 – Account Discovery

T1090 – Proxy

T1095 – Non-Application Layer Protocol

T1105 – Ingress Tool Transfer

T1106 – Native API

T1110 – Brute Force

T1114 – Email Collection

T1119 – Automated Collection

T1120 – Peripheral Device Discovery

T1136 – Create Account

T1140 – Deobfuscate/Decode Files or Information

T1190 – Exploit Public-Facing Application

T1204 – User Execution

T1218 – Signed Binary Proxy Execution

T1222 – File and Directory Permissions Modification

T1486 – Data Encrypted for Impact

T1505 – Server Software Component

T1518 – Software Discovery

T1543 – Create or Modify System Process

T1547 – Boot or Logon Autostart Execution

T1553 – Subvert Trust Controls

T1556 – Modify Authentication Process

T1560 – Archive Collected Data

T1564 – Hide Artifacts

T1566 – Phishing

T1569 – System Services

T1573 – Encrypted Channel

T1574 – Hijack Execution Flow

T1587 – Develop Capabilities

Indicators of Compromise (some sources include YARA rules)
https://otx.alienvault.com/pulse/63e605c7bb637ae4dc282792

https://otx.alienvault.com/pulse/63e6047ce87a8e8451fc21f8

https://otx.alienvault.com/pulse/63e58c93c79f2a8b18243438

https://otx.alienvault.com/pulse/63e4d6f43ee1a41157b23c86

https://otx.alienvault.com/pulse/63e2548538e4ff157585c0ad

https://otx.alienvault.com/pulse/63e327b9c75edf3f504ebcda

https://otx.alienvault.com/pulse/63e320648d3ca9e0ca28c956

https://otx.alienvault.com/pulse/63e256288848883696ec6302

https://otx.alienvault.com/pulse/63e229ba9d4b8ce533514666

https://otx.alienvault.com/pulse/63e11aab3f17cdd6d4674e4b

https://otx.alienvault.com/pulse/63e9fbbb687c6d647850f8fe

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Joel Belton

Joel Belton is a military veteran with subject matter expertise in intelligence analysis involving strategic military exercise planning, satellite imagery and full motion video analytics, and actionable tactical operations for USSOCOM special operations. He graduated from Purdue University with a bachelor’s degree in electrical engineering technology with a discipline in radio frequency communication engineering. Joel’s passion for security is driven enhancing his skills in red team offensive security and blue team operations strategies in mitigating compromise.

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.