At least one major ransomware gang is abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.
The attacks, first seen last October, have been linked to intrusions carried out by a criminal group that deployed the RansomExx ransomware.
According to multiple security researchers who spoke with ZDNet, evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992, two vulnerabilities in VMware ESXi, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.
Both bugs impact the Service Location Protocol (SLP), a protocol used by devices on the same network to discover each other; also included with ESXi.
The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it, even if the attacker has not managed to compromise the VMWare vCenter server to which the ESXi instances usually report to.
In attacks that have taken place last year, the RansomExx gang has been seen gaining access to a device on a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks, used to store data from across virtual machines, causing massive disruptions to companies, as ESXi virtual disks are usually used to centralize data from multiple other systems.
Reports of these attacks have been documented on Reddit, shared on Twitter, presented at a security conference last month, and confirmed in interviews with ZDNet over the past two months.
Free threat intel – identify and patch VMware ESX vulnerabilities CVE-2019-5544 and CVE-2020-3992.
Ransomware group using them to bypass all Windows OS security, by shutting down VMs and encrypting the VMDK’s directly on hypervisor.
— Kevin Beaumont (@GossiTheDog) November 7, 2020
For now, only the RansomExx (also known as Defray777) gang has been seen abusing this trick, but in a mysterious update last month, the operator of the Babuk Locker ransomware has also announced an eerily similar feature —although successful attacks have not yet been confirmed.
Furthermore, threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.
System administrators at companies that rely on VMWare ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn’t needed.