VMware ESXi Server Ransomware Attack
Ransomware targeting VMware ESXi OpenSLP vulnerability
ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability (CVE-2021-21974) and OpenSLP remote code execution vulnerability (CVE-2020-3992) are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption. Learn More »
Common Vulnerabilities and Exposures
Background
October 20, 2020: VMWare released a patch and advisory for CVE-2020-3992. https://www.vmware.com/security/advisories/VMSA-2020-0023.html February 23, 2021: VMWare released a patch and advisory for CVE-2021-21974. https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Threat Radar Overall Score: 3.8
CVSS Rating | 9.0 | |
FortiRecon Score | 92/100 | |
Known Exploited | Yes | |
Exploit Prediction Score | 87.96% | |
FortiGuard Telemetry | 6 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
February 03, 2023: CERT-FR posted an advisory for attack campaigns targeting vulnerable and unpatched VMware ESXi hypervisors with the aim of deploying ransomware. https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/
FortiGuard Labs is aware of exploitation reported in the wild. Fortinet's customer remain protected by the IPS signatures released to detect and block any attack attempts related to the vulnerability (CVE-2021-21974, CVE-2020-3992) and has recently added Antivirus detections to block "ESXiArgs" ransomware attacks.
The attack is primarily targetting ESXi servers in version before 7.0 U3i, through the OpenSLP port (427). To check your version of ESXi, please refer to your server page in your customer interface and steps to disable SLP service. https://kb.vmware.com/s/article/7637
February 07, 2023: CISA Releases ESXiArgs Ransomware Recovery Script. https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
IPS
-
Outbreak Detection
-
Threat Hunting
-
Content Update
-
Assisted Response Services
-
Automated Response
-
InfoSec Services
-
Attack Surface Monitoring (Inside & Outside)
Decoy VM Detect activities related to a ESXiArgs Ransomware Malware and prevents lateral movement on the network
AV (Pre-filter) Block ESXiArgs Ransomware Malware
IPS Detects and blocks attack attempts related to VMware ESXi vulnerability CVE-2021-21974.
Outbreak Detection
Threat Hunting
Content Update
Assisted Response Services Experts to assist you with analysis, containment and response activities.
Automated Response Services that can automaticlly respond to this outbreak.
FortiClient Forensics
FortiXDR
InfoSec Services Security readiness and awareness training for SOC teams, InfoSec and general employees.
Response Readiness
Security Awareness
FortiPhish
Attack Surface Monitoring (Inside & Outside) Security reconnaissance and penetration testing services, covering both internal & external attack vectors, including those introduced internally via software supply chain.
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
Mitre Matrix
Click here for the ATT&CK Matrix
References
Sources of information in support and relation to this Outbreak and vendor.