On February 3rd, 2023, researchers began observing attacks aimed at the VMware ESXi hypervisor with the goal of infecting them with ransomware. The affected systems are ESXi hypervisors version 6.5, 6.7 and 7.0.
These recent attacks, dubbed ESXiArgs, leverage CVE-2021-21974, a vulnerability which impacts the Service Location Protocol (SLP) service and grants an attacker the ability to execute arbitrary code remotely. A patch has been available for CVE-2021-21974 since February 23rd, 2021.
CVE-2021-21974 is a heap overflow vulnerability in OpenSLP, a network service that listens on TCP and UDP port 427 on default installations of VMware ESXi. A malicious actor that has access to port 427 could exploit the heap overflow issue in the OpenSLP service, leading to remote code execution if the ESXi server is exposed to the internet.
According to Wiz data, 12% of ESXi servers are currently unpatched for CVE-2021-21974 and vulnerable to attacks.
Attacks utilizing this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe. The targets of these attacks are primarily ESXi servers running versions prior to 7.0 U3i, which are accessible through the OpenSLP port 427.
Researchers previously believed the malware, ESXiArgs, is an instance of the Nevada ransomware family, which was first observed in December 2022 and associated with Chinese and Russian threat actors. As of February 8, further analysis could indicate the malware might be a variant of the Babuk ransomware. Babuk source code was leaked in 2021 and utilized in previous ESXi ransomware attacks, such as CheersCrypt and PrideLocker encryptor from the Quantum/Dagon group.
Since February 3rd, 2023, researchers have observed the following IP addresses attempting to exploit CVE-2021-21974:
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168/24
Researchers also observed the following behaviors associated with this activity:
|T1190 Exploit Public-Facing Application||CVE-2021-21974|
|T1486 Data Encrypted for Impact||Encryption uses a public key deployed by the malware in |
|T1486 Data Encrypted for Impact||The malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.|
|T1565 Stored Data Manipulation||The malware creates an |
Security teams are advised to patch VMware ESXi instances for CVE-2021-21974.
As a workaround, you can also mitigate this issue by disabling the OpenSLP service, using the following commands:
/etc/init.d/slpd stop esxcli system slp stats get esxcli network firewall ruleset set -r CIMSLP -e 0 chkconfig slpd off
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their VMWare ESXi servers.