Analysis
On 3rd February Computer Emergency and Response Team of France (CERT-FR) raised an alert on threat actors actively exploiting a two-year-old VMware Exsi vulnerability to perform ExsiArgs ransomware attacks.
As per reports, the threat actors use these specific vulnerabilities CVE-2020- 3992 and CVE- 2021- 21974 to remotely exploit arbitrary code and perform a ransom attack. The exploit code for these vulnerabilities is found to be publicly available since May 2021.
On 8th February CISA (Cybersecurity & Infrastructure Security Agency) and FBI (Federal Bureau of Investigation) jointly published recovery guidance to overcome the ransomware attack. The organizations impacted by this ransomware attack can use the script issued by CISA, to recover their files.
Prevention
- Update the servers to the latest version of VMware ESXi software.
- Disable the Service Location Protocol service to harden the ESXi hypervisors
- Ensure the ESXi hypervisor is not exposed to the public internet.
Remediation
Use the below link to get the script to recover from impact: https://github.com/cisagov/ESXiArgs-Recover
References
CERT-FR ssi.gouv.fr
CISA.gov