Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks

Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild.

cloud-provider-stopped-ransomware-attack-5f158ee1ef2c1c64094a991b-1-jul-23-2020-14-40-19-poster.jpg

At least two major ransomware gangs are abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.

The attacks, first seen last October, have been linked to intrusions carried out by a criminal group that deployed the RansomExx ransomware.

According to multiple security researchers who spoke with ZDNet, evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992, two vulnerabilities in VMware ESXi, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.

Both bugs impact the Service Location Protocol (SLP), a protocol used by devices on the same network to discover each other; also included with ESXi.

The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it, even if the attacker has not managed to compromise the VMWare vCenter server to which the ESXi instances usually report to.

In attacks that have taken place last year, the RansomExx gang has been seen gaining access to a device on a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks, used to store data from across virtual machines, causing massive disruptions to companies, as ESXi virtual disks are usually used to centralize data from multiple other systems.

Reports of these attacks have been documented on Redditshared on Twitterpresented at a security conference last month, and confirmed in interviews with ZDNet over the past two months.

In addition, Evgueni Erchov, director of incident response and cyber threat intel at Arete IR, tells ZDNet that there's also been cases where ESXi instances have been encrypted during attacks by the Darkside ransomware group. While rarer than the ones carried out by the RansomExx gang, the attacks show a trend forming in the cybercriminal underground.

This trend was also obvious in a mysterious update posted online last month by the operator of the Babuk Locker ransomware, who announced an eerily similar feature —although successful attacks have not yet been confirmed.

Furthermore, threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.

kela-esxi-root-access.png

Image: KELA

System administrators at companies that rely on VMWare ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn't needed.