Advisory ID: NCC-CSIRT-0702-010
Summary: The France Computer Emergency Response Team (CERT-FR) has discovered a ransomware attack employing a high-severity ESXi (bare metal hypervisor) vulnerability that VMware addressed in February 2021, which might lead to the execution of arbitrary code and encrypts files associated with virtual machines. The attack is targeting Unpatched and unprotected VMware ESXi servers that are exposed to the Internet on port 427 across the world.
Vulnerable Platform(s): VMware ESXi Servers
Threat Type: Malware, Ransomware, and Vulnerability.
Product : Mobile Applications and Websites
Version: ESXi hypervisors version 6.x and earlier than 6.7
Description: The researchers discovered that attackers used the vulnerability to compromise ESXi servers and install malware that encrypts files related to virtual machines, including files with the. .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem extensions. Although the malware does not appear to have the ability to exfiltrate files, the ransom note left behind by the attackers warns users that if they do not pay, their data would be sold. For the encryption key required to restore files, victims are instructed to pay 2 bitcoins ($48,000). The malware shuts down virtual machine operations before starting its encryption procedure, however investigation by the French cloud company, OVH finds that the feature does not appear to be functioning as intended. In some cases, files are only partially encrypted, allowing victims to recover them without paying a ransom.
Consquences:
- Remote arbitrary code execution
- Encrypt important files on compromised devices
Impact/Probability: HIGH/HIGH
Solution :
- Isolate the affected server.
- Perform a system scan for signs of compromise.
- Reinstall the hypervisor in a version supported by the VMware vendor.
- Apply all security patches and follow future security advisories from the VMware vendors and other relevant publishers.
References:
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/
https://thehackernews.com/2023/02/new-wave-of-ransomware-attacks.html