Threat Intelligence: ESXiArgs Ransomware
Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:
The French Computer Emergency Response Team (CERT-FR) have issued a warning that threat actors are actively targeting VMWare ESXi servers which are found to be unpatched against an RCE vulnerability, caused by a heap overflow issue in the OpenSLP service. They are then infecting systems with the ransomware “ESXiArgs”. This has been named due to the extension of the encrypted file, “.args”.
Read more about the CVE detail here: CVE-2021-21974
The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 8.8
Currently the versions of ESXi which have been targeted are those before 6.7. Less than 50 have been reported in Great Britain so far, however there have been more than 900 cases across the world and counting. The original vulnerability was reported by Trend Micro – a threat actor residing within the same network segment as ESXi, who has access to port 427, may be able to trigger the heap-overflow issue in the OpenSLP service. This could result in remote code execution.
Vulnerable ESXi versions:
- 7.0 before ESXi70U1c-17325551,
- 6.7 before ESXi670-202102401-SG,
- 6.5 before ESXi650-202102101-SG
A patch for this vulnerability has been available since the 23rd February, 2021. It is highly recommended to update to a patched version of ESXi. Systems that have been left unpatched should also be scanned to look for signs of compromise. It is also advised to disable the OpenSLP service, which has been disabled by default since 2021.
If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.
If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact.