Kevin BeaumontFeb 3, 2023
I obviously don’t have my tweet thread any more to add to it, but somebody is doing automated destructive attacks on VMware ESXi with 2021 vulns. At the time, to their credit, VMware were very clear in customer comms that not patching could lead to ransomware. #ESXiArgs https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.

BleepingComputer
Show threadKevin BeaumontFeb 3, 2023
I don’t yet have a sample of the payload, but I know they’re using automated deployment with internet scanning. #ESXiArgs
Show threadKevin BeaumontFeb 3, 2023
#ESXiArgs #ransomware looks to be impacting thousands of ESXi boxes, with the VMs below toast 😬
Show threadKevin BeaumontFeb 3, 2023

#ESXiArgs:

- Not a worm
- Automated attacks but attacker IP running
- Not very skilled
- You can pull attacker IP by running Netflow against impacted boxes (you can pull from Shodan)
- Primary impact SMB MSPs and dedicated server hosts who default VMware insecure on deployment
- Likely off the shelf OpenSLP exploit (eg https://github.com/straightblast/My-PoC-Exploits/blob/master/CVE-2021-21974.py ) based on it only impacting certain version ESXi hosts
- Haven't been able to get binary, but may be Babuk builder, similar to Cheerscrypt mid last year.

My-PoC-Exploits/CVE-2021-21974.py at master · straightblast/My-PoC-Exploits

PoC exploits I wrote. They're as is and I will not offer support - My-PoC-Exploits/CVE-2021-21974.py at master · straightblast/My-PoC-Exploits

GitHub
Show threadSecuropean
@GossiTheDog Can’t thank you enough for the information you share. Even if it’s only to help some of us sleep better.
Feb 3, 2023 at 10:48pmWeb