The first attack was seen in October 2020 after a Reddit user made a post detailing 200 of their customer’s VMs were encrypted. The Reddit user stated it may have started with a Windows 2012 R2 server that was outside the VMWare environment which had access to the ESXI management URL.
Brazil’s Superior Justice Tribunal (SJT) was also attacked, which resulted in 1000 VMs being encrypted with ransomware. In both cases, the ransomware encrypted that VMs at the datastore level and the ransom note was left at the root of the datastores. SJT’s attack appeared to have originated from a phishing email wherein users installed a trojan. Attackers then escalated privileges using existing vulnerability CVE-2020-1472 and gained access to the hosts with ESXi’s management subnet. Using CVE-2020-5544 and CVE-2020-3992, the attackers ran arbitrary code on the ESXi hosts. From there, a python executable was created on the ESXi hosts and encrypted the VMs.
Both organizations used FC storage, which doesn’t allow hosts to read the contents of the datastores outside of the ESXi servers. The vulnerabilities used impact the “Service Location Protocol” that is used by devices on the same network to discover one another. These vulnerabilities allowed the attacker on the same network to send SLP requests to the ESXi devices.
To prevent the attacks, ESXi patches should be applied and SLP should be disabled if not necessary. Furthermore, the following recommendations can help to mitigate the risk of a successful attack:
The implications of a successful ransomware attack on ESXi servers could be devastating. If an organization is using ESXi as a means for service or storage, encryption at this data can shut down operations just as it did for SJT.
VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or their managed monitoring tool, CTIP, contact one of our security advisers today. Contact VerSprite →