VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide.

“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” the virtualization services provider said.

The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.

“In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default,” VMware added.

The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a large-scale ransomware campaign dubbed ESXiArgs by likely exploiting a two-year-old bug VMware patched in February 2021.

The vulnerability, tracked as CVE-2021-21974 (CVSS score: 8.8), is an OpenSLP heap-based buffer overflow vulnerability that an unauthenticated threat actor can exploit to gain remote code execution.

The intrusions appear to single out susceptible ESXi servers that are exposed to the internet on OpenSLP port 427, with the victims instructed to pay 2.01 Bitcoin (about $45,990 as of writing) to receive the encryption key needed to recover files. No data exfiltration has been observed to date.

Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023. 18 of the 19 IP addresses are classified as benign, with one sole malicious exploitation recorded from the Netherlands.

“ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur,” Rapid7 researcher Caitlin Condon said. “ESXi instances should not be exposed to the internet if at all possible.”

Update:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. “The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable,” noted the agency.

CISA has also released an advisory, warning that threat actors are “exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware.” Over 3,800 servers across the globe have been compromised to date.

The identity of the adversaries behind the campaign is unclear, and it appears that the attacks are taking advantage of several high-profile OpenSLP vulnerabilities in ESXi for obtaining initial access.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.