ESXiArgs Ransomware Globally Targets Unpatched ESXi Servers Worldwide

Read Time:1 Minute, 48 Second

FortiGuard Labs is aware of reports that ESXi servers around the globe that are vulnerable to the VMware ESXi OpenSLP HeapOverflow vulnerability (CVE-2021-21974) are being exploited through the OpenSLP (port 427) to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption.Why is this Significant?This is significant because a new ransomware “ESXiArgs” is being deployed to ESXi servers that are prone to the VMware ESXi OpenSLP HeapOverflow vulnerability (CVE-2021-21974). The ransomware encrypts files with pre-specified file extensions and demands a ransom from victims for file decryption.A patch for CVE-2021-21974 was released almost two years ago, which lowers the impact and severity of this incident.What is ESXiArgs Ransomware?ESXiArgs is a new ransomware that encrypts files on ESXi servers and According to OSINT, the ransomware targets files with “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, and “.vmem” file extensions. The ransomware reportedly creates a args file containing metadata for each file it encrypted. Data exfiltration has not been reported.ESXiArgs ransomware is said to be related to another ransomware “Nevada”, however we have not been able to verify the claim.What is CVE-2021-21974 (VMware ESXi OpenSLP HeapOverflow vulnerability)?CVE-2021-21974 is a heap overflow vulnerability in OpenSLP and affects VMware ESXi version 7.0, 6.7, and 6.5. The vulnerability is due to an improper boundary check condition in the application. A remote, unauthenticated attacker can exploit this to execute arbitrary code with the privileges of the OpenSLP service, via a crafted request the target server.The vulnerability has a CVSS score of 8.8 and is rated important.Has the Vendor Released a Patch for CVE-2021-21974?Yes, VMWare released a patch for CVE-2021-21974 on February 23rd, 2021.What is the Status of Protection?FortuGuard Labs provides protection for this latest attack with the following AV signatures:ELF/Filecoder.85D3!tr.ransomLinux/Agent.SR!trPython/Agent.937D!trFortiGuard Labs has the following IPS signature in place for CVE-2021-21974 (VMware ESXi OpenSLP HeapOverflow vulnerability):• VMware.ESXi.OpenSLP.Heap.Buffer.Overflow

CISA’s 2024 Review Highlights Major Efforts in Cybersecurity Industry Collaboration

Casino Players Using Hidden Cameras for Cheating

Friday Squid Blogging: Squid on Pizza

Scams Based on Fake Google Emails

Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks

ESXiArgs Ransomware Globally Targets Unpatched ESXi Servers Worldwide

icecat-flatpak-115.18.0-2

mupdf-1.24.6-2.fc40

mupdf-1.21.1-6.el9

DSA-5837-1 fastnetmon – security update

DSA-5836-1 xen – security update

DSA-5835-1 webkit2gtk – security update