The Service Location Protocol (SLP) used by different versions of Vmware ESXI are vulnerable to a known CVE-2021-21974. The CVE enables remote code execution by an attacker on port 427 used by OpenSLP.
After execution of the ransomware, the hypervisor’s web administration interface and its command-line interface, displayed the same message : “How to restore your files. Security Alert!!! We hacked your company successfully.“
The cloud services provider OVHcloud released their observations :
The compromission vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dcui as involved in the compromission process.
Encryption is using a public key deployed by the malware in /tmp/public.pem
The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
The malware tries to shutdown virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.
The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
No data exfiltration occurred.
Affected Versions of ESXi
ESXi versions 7.x prior to ESXi70U1c-17325551 ESXi versions 6.7.x prior to ESXi670-202102401-SG ESXi versions 6.5.x prior to ESXi650-202102101-SG
CVE-2021-21974 refers to a heap overflow vulnerability found in VMware ESXi. The source of the vulnerability is an overflow in the OpenSLP service within ESXi. An attacker can take advantage of this vulnerability by sending a harmful packet to the impacted system, causing the overflow and giving the attacker the ability to run any code they desire.
Several files appear to have been dropped on the ESXi machine after exploitation, including a shell script and an ELF executable file.
Lupovis IP Block List
At Lupovis we constantly monitor internet noise and mass scanners and vulnerabilities being exploited. Within hours of the first infections, and due to the scale of the ransomware group operations, we started reporting the IPs of the scanners used.
We then kept updating the list of IPs used by the scanners as the hours progressed. If you have been unable to patch or close the OpenSLP port (427) between the internet and the servers with ESXI, yet, we strongly recommend you block the following IP addresses
Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.