Hackers are mass infecting servers worldwide by exploiting a patched hole

The picture shows a security scanner extracting viruses from strings of binary code.words and hands

Getty Images

It was widely reported Monday that cyberattacks have infected servers around the world with devastating ransomware by exploiting vulnerabilities patched two years ago.

The hack exploits flaws in ESXi, the hypervisor VMware sells to consolidate hardware resources into cloud hosts and other large enterprises. ESXi, also known as a bare metal (Type 1) hypervisor, is essentially a proprietary operating system that runs directly on server hardware. By contrast, servers running the more common Type 2 class of hypervisors, such as VMware’s VirtualBox, run as apps on top of the host operating system. Type 2 hypervisors then run virtual machines that host their own guest operating systems such as Windows, Linux, or, less commonly, macOS.

Enter ESXiArgs

A recent advisory issued by the French, Italian and Austrian Computer Emergency Response Teams (CERT) reported a “massive” campaign that began by Friday and has been gaining momentum since. His CERT rep in Austria said more than 3,200 of his servers, including eight of his in the country, were infected as of Sunday, citing search results on Census.

“Since ESXi Server presents a large number of systems as virtual machines (VMs), you can expect to see a multiple of this number of individual systems affected,” the official wrote.

The vulnerability being exploited to infect servers is CVE-2021-21974, which is due to a heap-based buffer overflow in OpenSLP, an open network detection standard built into ESXi. When VMware patched the vulnerability in February 2021, the company warned that it could be exploited by malicious actors accessing the same network segment via port 427. This vulnerability received a severity rating of 8.8 out of 10. Exploit code and instructions for its use became available several months later.

Last weekend, French cloud host OVH said it lacked the ability to patch vulnerable servers set up by customers.

OVH Chief Information Security Officer Julien Levrard said: “We have launched several initiatives to identify vulnerable servers based on automated logs to detect his ESXi installation by a customer. limited.”

In the meantime, the company is blocking access to port 427 and notifying all customers it identifies as running vulnerable servers.

According to Levrard, the ransomware installed in the attack deleted virtual machine files, including files ending in .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem. Encrypt. The malware then attempts to unlock the files by terminating a process called VMX. The feature is not working as the developer intended and the file remains locked.

Researchers have dubbed the campaign and the ransomware behind it ESXiArgs because the malware creates additional files with the extension “.args” after encrypting documents. The .args file contains data used to decrypt encrypted data.

YoreGroup Tech Team researchers Enes Sonmez and Ahmet Aykac reported that a mistake in the ESXiArgs encryption process could allow the victim to recover the encrypted data. OVH’s Levrard said his team tested the restoration process the researchers described and found it was successful in about two-thirds of the trials.

Anyone relying on ESXi should stop whatever they are doing and make sure the patch for CVE-2021-21974 is installed. The advisory linked above also provides detailed guidance for locking down servers using this hypervisor.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *