Mass exploitation of ESXi hosts

The Orange Cyberdefense Vulnerability Operations Center discovered 42 ESXi hosts that were vulnerable to CVE-2021-21974. These hosts were discovered between February 2021 and October 2022. This first 6 vulnerable hosts were discovered on February 28, 2021, this is four days after the NVD published date of February 24, 2021. The remaining 36 vulnerable hosts were discovered between November 2021 and October 2022. This means that some hosts were unpatched anywhere between 270 days and 590 days. This is assuming the hosts were patched immediately after discovery. This specific vulnerability impacted 7% of our VOC client base. The Orange Cyberdefense Ethical Hacking Team performed 122 assessments classified as either Internal, External, or Red Team from February 24, 2021, up to and including September 2022. This is the period that vulnerability CVE-2021-21974 was public knowledge and could have been encountered. A detailed blog post about the vulnerability appeared on May 25, 2021, meaning that if a vulnerable ESXi host was encountered and was in scope there existed the possibility that it might have been exploited using the exploit code published on GitHub^{17 18}. At this point, with a full explanation and exploit code, 105 assessments could possibly have yielded a potential finding. Fortunately, none of the clients we assessed had findings with reference to this vulnerability.

As stated earlier, the reported attacks have a noticeable impact on the target system. The attacks resulted in files on the ESXi hypervisor being encrypted after the attacker halted any running virtual hosts. Also, instructions to pay 2 Bitcoins into the designated wallet to obtain the decryption keys were found in files on several exploited ESXi hosts during the first wave of attacks. What was odd was that no ransomware group was named in the instruction file.

One victim shared such a ransom note¹⁹ on Bleeping Computer’s forum. The odd thing is that this note ends with what looks like a possible hint: “SSH is turned on” and “Firewall is disabled”. VMware ESXi has an SSH service that can be enabled. Perhaps the attacker brute forced these hosts with known or weak credentials or exploited a weakness in OpenSSH? The reference to the disabled firewall could suggest that the attacker felt that, had a firewall been in place with appropriate configuration, then their attack might have been thwarted. Disabling or limiting remote access to any host exposed to the Internet is crucial as this greatly limits what attackers can do.

Another user of the Bleeping Computer forum posted on the same thread on February 8, 2023, stating that an ESXi host was compromised even though the “SLP service was turned off”²⁰. If this is the case, then the OpenSLP vulnerability theory seems unlikely to be the only attack vector.

There are hints at further extortion in the ransomware note shared on Bleeping Computer’s forum post. In the days after the first wave of attacks, the modus operandi of the attackers changed. They updated their ransom note by removing their Bitcoin wallet address and instead listing a TOR Onion (darkweb) Site. Both versions of the ransom note threaten to share the stolen data if no ransom is paid. The first version lacked a typical negation site. The newer version of the ransom note with the TOR web address might indicate that the attackers are still developing their infrastructure to align with what has become the norm with typical Cyber Extortion negotiations.

There has been mention in some reports of a new ransomware group called ‘Nevada’, but no concrete evidence linking the mass exploitation of ESXi and the group has been presented yet. We do know, however, that Cyber Extortion groups evolve over time. Some fade out, while others morph into new groups.

In Q4 of 2022, we actually saw a relatively low number of threat actor groups extorting victim organizations around the world - a total of 19 threat actor groups victimizing 494 organizations. The last time we counted under 20 active unique threat actor groups was in the beginning of 2021 – almost 2 years ago. Nevertheless, the number of victims increased during Q4, specifically during December 2022. During December, two new threat actor groups ’Play’ and ‘Royal’ were added to our monitoring process, contributing to the sudden increase.

The group ‘ViceSociety’ also changed its TOR onion address during this period, which led to 19 victims being noted on the same day, so the data might not represent the actual date and time of the postings of these victims.

In mid-December, multiple sources reported on another new ransomware variant called ‘Royal’, which surfaced in November in our dataset but is said to have been active already in early 2022. It is believed that some of the ex-Conti members are running this Cy-X operation. In November and December, we registered 51 businesses that have fallen victim to this group. Victims originated from countries such as U.S. (59%), Canada (8%), Brazil (6%), Germany (6%) and Austria (4%), showing ‘the usual’ mix of victim countries.

While the total number of victims increased again slightly during Q4, we observe a shift of threat actors contributing to this threat. This is not unusual given the opportunistic nature of this ecosystem While some threat actor groups might cease operations, others are ready to ‘take on their share’ of victims.

Looking at the top 20 countries impacted by this threat in Q4, more than half of all victims are headquartered in the U.S. In Q4 we saw that U.S. based victims rose to 51% of the total number of victims compared from 40% in Q3 2022. The second most impacted country during Q4 was Canada with victims from verticals such as Manufacturing (n=7), Information (n=4) and Wholesale Trade (n=3).

As can be seen in the chart above, English-speaking countries were the most impacted countries in Q4, closely followed by victims from Germany (n=21), Brazil (n=17) and France (n=17). French victims have decreased by almost half from Q3 to Q4. One reason can be that LockBit, who caused over 80% of the French victims in Q3, has had less activity during Q4. While Brazil is proportionally in the fifth position. In Q4, and especially during December 2022, we registered the highest number of organizations from Brazil falling victim to Cyber Extortion.

Returning to the ESXiArgs malware. On a technical level it seemed at first that the encryption technique used by the attackers is cryptographically sound, but the extent to which the attackers encrypted the files could potentially result in data being recovered. A guide²² was published by Turkish researchers to help with the possible recovery of virtual hosts. The guide does assume a high level of skill and experience with VMware and is not something a novice might be able to have success with. CISA have published resources to help with the recovery of data and should be easier to execute than the guide^{23 24}.

However, it seems that the attackers realized that victims could recover their data and released a new version of the ransomware that encrypts up to 50% of the data if the VMware data file is larger than 128MB²⁵ . The reason for the 50% encryption is that the data files representing the virtual disk of the virtual computes can be gigabytes if not terabytes in size. Encrypting this can take very long. So, encrypting the disks selectively still renders the virtual discs unusable, but also leaves some of the data intact. It’s a matter of luck whether the unencrypted data is usable.

The updated version may render recovery per the guide and CISA tool less likely to be successful.