ESXiArgs Ransomware: Runecast Users Have Proactive Coverage

Over the weekend news broke of a ransomware threat currently being called ESXiArgs, taking advantage of the vulnerability in CVE-2021-21974. As you can see from the number, this is a CVE that was first made public by VMware in 2021, however a number of teams and the French Computer Emergency Response Team (CERT-FR) are warning users that malicious actors are targeting this vulnerability on unpatched ESXi servers as recently as February 3, 2023. 

In this article we will talk briefly about what ESXiArgs is, the underlying vulnerability, and how Runecast has already protected organisations infrastructure against this ransomware threat, with coverage of CVE-2021-21974, for 2 years.

What is the “new” ESXiArgs ransomware?

ESXi is VMware’s hypervisor, a technology that allows organisations to host several virtualized computers running multiple operating systems on a single physical server.

The vulnerability is due to OpenSLP (also known as CIM). As it is used in ESXi OpenSLP has a heap-overflow vulnerability, meaning that “[a] malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.” – VMware Security Advisories, VMSA-2021-0002.

Open SLP or Service Location Protocol is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. On ESXi, third-party hardware health monitoring services can use this service and it has been the subject of CVEs previously. 

‍

How this malicious software works

The ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a .args file for each encrypted document with metadata (likely needed for decryption).

Victims have also found ransom notes named ransom.html and How to Restore Your Files.html on locked systems. Others said that their notes are plaintext files.

When the server is breached, the following files are stored in the /tmp folder:

• encrypt – The encryptor ELF executable.
• encrypt.sh – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.
• public.pem – A public RSA key used to encrypt the key that encrypts a file.
• motd – The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server's original file will be copied to /etc/motd1.
• index.html – The ransom note in HTML form that will replace VMware ESXi's home page. The server's original file will be copied to index1.html in the same folder.

For more technical information about how ESXiArgs performs its attacks, please refer to this article published on Bleeping Computer.

How to patch the vulnerability

These are the systems affected by CVE-2021-21974:

• ESXi versions 7.x prior to ESXi70U1c-17325551
• ESXi versions 6.7.x prior to ESXi670-202102401-SG
• ESXi versions 6.5.x prior to ESXi650-202102101-SG

To patch the vulnerability, it is strongly recommended to upgrade vulnerable vCenter Server installations to the latest version that patches the CVE-2021-21972 security flaw. 

The patches were released when the vulnerability was originally made public by VMware in VMSA-2021-0002 and a guide on how to patch can be found here.

Runecast provides a pain-free upgrade simulation option, allowing users to test their existing hardware against the VMware Hardware Compatibility List, saving admins the time and effort of attempting an upgrade without being certain of the outcome. 

The guidance in the VMware Security Configuration Guide is that this service should now be disabled by default, if it is not required for third-party software. 

How Runecast protects against VMSA-2021-0002 (and has done for two years)

Our platform has provided remediation information against the critical VMSA-2021-0002 exploit since VMware announced it in February of 2021, ensuring that our customers' virtual infrastructures remain secure. 

‍Runecast provides automated checks against the VMware Guidelines, where it is recommended that this service be disabled, along with the Knowledge Base articles automating the process of searching for the instructions to remediate and patch this and many more vulnerabilities.

While other vendors often report vulnerabilities only based on OS version and build number, Runecast uses a much more sophisticated approach, thanks to our patented rules engine. Runecast also checks the Firewall rules and SLP service status, as VMware's guidance recommends SLP be disabled by default. Runecast's approach is to strive not to create more noise for customers, but only report where there are real vulnerabilities that need to be addressed.

‍

We are proud to have safeguarded our customers' data and operations and remain dedicated to continuously improving our solution to meet the ever-evolving security landscape. Runecast is committed to providing the highest level of security to our customers. 

In addition, on 24 February 2021, we tweeted our update and the link to our blog announcement regarding VMSA-2021-0002, which covers CVE-2021-21974.

On 22 March 2021, RudiMartinsen.com stated in "A Second Look at Runecast":

"Let's take the latest critical security vulnerability (VMSA-2021-002) as an example. This Runecast instance have found that a couple of vCenters in the environment is not patched for this[...]"

Organisations that use Runecast and, crucially, implement its findings in their environments, are protected from this vulnerability. And this has been the case since 2021. 

‍

Runecast helps you automate the security of your workloads

Cybersecurity is a constantly changing field, and new threats are constantly emerging. By keeping up to date with the latest intelligence, organisations can ensure that their defences are up to date and effective against the latest threats – especially when those ‘latest threats’ were patched 2 years ago. Ultimately, identification of threats and their remediation steps is not the only step, as knowledge is useless without action.

Runecast helps you reduce the risk of falling victim to this kind of attack by providing:

1. The most sophisticated and complete VMware vulnerability and security hardening assessment with our patented rules engine.
2. Prioritisation of vulnerabilities based on their severity levels and known exploited vulnerabilities information.
3. Fastest vulnerability and security standard release cycle thanks to the Runecast AI Knowledge Automation Platform.
4. Best time to value on the market, with 15-minute agentless deployment and results.
5. Unmatched secure deployment methods supporting air-gapped environments.
6. Remediation capabilities.

By using Runecast regularly and following its recommendations, you can:

• Maintain a hardened configuration to reduce attack surface.
• Save time by automating remediation.
• Stay free of critical vulnerabilities with known exploits prioritisation.
• Greatly reduce the risk of any malware, including ransomware, from compromising your systems.

Runecast is a powerful AI-driven platform that can help you reduce the risk of falling victim to a VMware targeted ransomware attack. While there is no solution that can guarantee 100% prevention, Runecast will give you the best chance of avoiding a costly and damaging attack.