Threat Intel

Thousands of ESXi hosts around (some of the) globe have been encrypted by cyber criminals. This post is a fast publish showing some of what has occurred, it’s impact and now includes limited remedial advice.

If you have been affected by this ransomware event there is an attempted recovery script by CISA

https://github.com/cisagov/ESXiArgs-Recover/blob/main/recover.sh

Situation

~2.5K Infected ESXi servers – Map Created using IPINFO.IO

Thousands of hosts in Western countries have been ransomwared:

https://www.shodan.io/search/facet?query=http.title%3A%22How+to+Restore+Your+Files%22&facet=org

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

Count of IPs Encrypted from Censys (per country)

Initial Access Vector

Unknown but possibly exploiting OPENSLPD:

  • CVE-2019-5544
  • CVE-2020-3992
  • CVE-2021-21974 (this is the one everyone is reporting but we haven’t seen forensic evidence of this)

Juniper Blog

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/

Why don’t we know? well these hosts aren’t heavily monitored and logs/evidence of the OPENSLPD service being exploited seems to be on the LOW side. People are also (rightly) focusing on restoration of service vs forensic analysis at this stage.

Patient Zero

So at the weekend I found some entries going back to October but I woke up today to find this chap had found one back even further!

(nice work dude!)

https://www.linkedin.com/feed/update/urn:li:activity:7028483731652808704?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7028483731652808704%2C7028492870693068800%29

We believe this host:

https://trends.shodan.io/search?query=title%3A%22How+to+Restore+Your+Files%22#facet/ip

was the first host to have this chain tested on it.

https://trends.shodan.io/search?query=title%3A%22How+to+Restore+Your+Files%22&language=en#facet/ip

Threat Actor/s

Unknown but likely aligned or politically/physically in/adjacent to Russia/China/Iran/N. Korea/India/South America/Africa (this is a broad list of countries/regions that were not affected despite having vulnerable servers exposed)

Timeline

  • 23rd February 2021 – VMWARE issues a patch for OPENSLPD – this states you must be NETWORK ADJACENT (this might be wrong!)
  • April 2022 – A single host has been detected as being encrypted with what appears to be this ransom note
  • October 2022 – A Backdoor was detected by Juniper
  • October 2022 – A group of hosts were encrypted
  • Friday 31/01/2023 ESXi hundreds/thousands of hosts started to display ransomware notes on the HTTPS service for ESXi and SSH MOTD

Payment Tracking

Each host has a unique BITCOIN. wallet address. At time of writing only .5 of a bitcoin is known (to me) to have been paid (the criminals) It’s now reported that ~ 50K USD has been paid

Response & Recovery

Response is complex, isolate, contain and eradicate is easy to say, sometimes harder to do given the number of variables. This post isn’t covering detailed ESXi recovery steps, Recovery may be simple, or it may be complex or you might not be able to (i mean paying is an option but a risky AF one)

You may be able to restore VMs by rebuilding VMDK descriptors…

You may find some useful info in the forums (be careful etc.)

https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-28

IP IOCs

This list is a subset from

https://github.com/fastfire/IoC_Attack_ESXi_Feb_2023/blob/main/ip.md

It has been enriched and had some of the “known good” IPs taken out

I think some IPs in here are not criminals but people doing mass scanning (researchers) but I can’t confirm this so I’ve left the list as is:

104.152.52.131
104.152.52.55
107.155.50.142
107.170.232.9
146.0.75.2
152.32.219.120
162.243.141.11
162.62.191.220
162.62.33.200
164.92.211.90
170.106.115.253
170.106.115.55
192.241.196.48
192.241.200.36
192.241.202.27
192.241.214.26
192.241.223.35
192.241.239.28
198.199.103.238
43.130.10.173
43.131.94.145
46.17.96.41
103.75.201.219
104.152.52.233
106.75.190.21
106.75.64.29
119.42.54.188
172.105.73.148
176.58.124.251
89.248.163.200

GreyNoise Enrichment

Malicious IPs in GreyNoise from IOC IP List

Ransom Note

Ransom Note Sample Redacted
How to Restore Your Files
Security Alert!!!
 
We hacked your company successfully
 
All files have been stolen and encrypted by us
 
If you want to restore files or avoid file leaks, please send 2.035639 bitcoins to the wallet {REDACTED}
 
If money is received, encryption key will be available on TOX_ID: {REDACTED}
 
Attention!!!
 
Send money within 3 days, otherwise we will expose some data and raise the price
 
Don’t try to decrypt important files, it may damage your files
 
Don’t trust who can decrypt, they are liars, no one can decrypt without key file
 
If you don’t send bitcoins, we will notify your customers of the data breach by email and text message
 
And sell your data to your opponents or criminals, data may be made release
 
Note
 
SSH is turned on
 
Firewall is disabled

Mitigations

  • Disable SLPD on ESXi
  • Ensure you are running a supported and fully patched ESXi version
  • Apply ingress filtering on all management services for the host/User a VPN etc.

References

https://github.com/fastfire/IoC_Attack_ESXi_Feb_2023

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/

More to follow…

Orgs Affected (count of hosts by ORG name)

07-02-2023 – Shodan View by Org

This is not a complete list but what is available in Shodan at the time or writing:

OVH SAS
190

Hetzner Online GmbH
91

OVH Hosting, Inc.
80

OVH US LLC
26

OVH GmbH
18

Scaleway
14

Scaleway Dedibox – Paris, France
13

OVH Sp. z o. o.
12

Joe’s Datacenter, LLC
11

LeaseWeb Netherlands B.V.
11

OVH Ltd
11

Cloud South
9

ONLINE SAS NL
9

Zenlayer Inc
8

Hetzner Online AG
7

WorldStream B.V.
7

Scaleway Dedibox
6

MacStadium, Inc.
5

SECURED SERVERS LLC
5

myLoc managed IT AG
5

velia.net Internetdienste GmbH
5

CoreSpace, Inc.
4

Korea Telecom
4

Leaseweb Deutschland GmbH
4

ReliableSite.Net LLC
4

Centrilogic, Inc.
3

Codero
3

Interserver, Inc
3

LEASEWEB UK LIMITED
3

Ministry of Education Computer Center
3

OVH Singapore PTE. LTD
3

Rackdog, LLC
3

Scaleway – Amsterdam, Netherlands
3

SingleHop LLC
3

SoftLayer Technologies, Inc.
3

Stealthy Hosting
3

Verizon Business
3

Aoyou L.L.C
2

Budapest University of Technology and Economics
2

Cadence Networks Ltd
2

Cogent Communications
2

Contabo GmbH
2

Dedicated Server Hosting
2

Dedicated servers OVH
2

Dedispec, LLC.
2

HA Servers, LLC
2

Hurricane Electric LLC
2

Leaseweb USA, Inc.
2

Level 3 Parent, LLC
2

Login, Inc.
2

MadeIT inc.
2

Manov Investments, LLC
2

Nocix, LLC
2

OVHCloud.com
2

Packet Host, Inc.
2

QuadraNet Enterprises LLC
2

RCN
2

Redium B.V.
2

Reliable Hosting Services
2

Scaleway – Paris, France
2

Serverius Holding B.V.
2

SoftLayer Technologies Inc.
2

Turnkey Internet Inc.
2

Velocihost Inc.
2

Vietnam Posts and Telecommunications Group
2

Web Werks
2

WhiteLabel IT Solutions Corp
2

WholeSale Internet, Inc.
2

Wowrack.com
2

Wroclaw Centre of Networking and Supercomputing
2

XLHost.com Inc
2

– HKCIX –
1

2 Cloud Ltd.
1

24/7 COMFORT APPAREL
1

2706360 Ontario Inc
1

ANFA FAJER Sp.J.
1

AR TV LTD
1

AS42926
1

AT&T Corp.
1

AT&T Services, Inc.
1

AZISTA GmbH
1

Apollo Information Systems Corp
1

Aptum Technologies
1

BNS
1

Barak I.T.C
1

Bright Packet, Inc.
1

Brno
1

CDN77-PRG
1

CLIENTID7315
1

CONNECTED TECHNOLOGIES
1

COULEE INTERNET SERVICES COMPANY
1

Centrum Uslug Sieciowych
1

CenturyLink Communications, LLC
1

Charles River Operation
1

Charter Communications Inc
1

ColoHouse LLC
1

Coloblox Data Centers Inc
1

Colocation America Corporation
1

Cologix, Inc
1

Cologuard
1

Comcast Cable Communications, LLC
1

Cox Communications Inc.
1

Cquadrat GmbH
1

Cyber Wurx LLC
1

D2 CLOUD COMMUNICATIONS LTD
1

DGN Teknoloji Anonim Sirketi
1

DINGFENG Network
1

Database Mart LLC
1

Datacamp Limited
1

DedFiberCo
1

Dedicated server
1

Direct Connect Solutions
1

Dublin Enterprise & Technology Centre Limited
1

EG
1

EGIHosting
1

ELASSAR MULTIMEDIA
1

ETC TECHSOLUTIONS
1

EVRY One Huskvarna AB
1

EasyDataHost S.L.
1

Empire Data Technologies
1

Eotvos Lorand University of Sciences
1

Equinix Services, Inc.
1

Excell /30 Customer PPC Connections
1

FASTPLANET LTD
1

FPT Telecom
1

FPT Telecom Company
1

FastLine For Communication And Information Technology Ltd Broadband Subscribers
1

Fasthosts Internet Limited
1

Fibernet Dedicated Hosting San Jose
1

Fifield Companies
1

Flokinet Ltd
1

Fort Hays State University
1

Fortress Networks
1

Frontier Communications of America, Inc.
1

GTHost
1

Galaxyvisions Inc
1

GameServers.com
1

Georgia Institute of Technology
1

Global Reach Networks Limited
1

GoDaddy.com, LLC
1

GorillaServers, Inc.
1

Gridlogix
1

HGC Global Communications Limited
1

HIVELOCITY, Inc.
1

HKBN Enterprise Solutions HK Limited
1

HOSTKEY
1

Hail Point, LLC
1

Hargray Communications Group, Inc.
1

Hivelocity Inc
1

Hogeschool van Arnhem en Nijmegen
1

HostSailor NL Services
1

Hosting Services, Inc.
1

Hudson Valley Host
1

HugeServer Networks, LLC
1

Huseyin Inanc
1

I-2000, Inc.
1

IDEAL HOSTING TEKNOLOJI A.S
1

IHGCO ATT
1

IO INC
1

IOMART HOSTING LIMITED
1

IPXO LLC
1

IPvision
1

IQ PL Sp. z o.o.
1

Ibis Budget Bandara
1

Indeno GmbH – Cloud Services
1

Industrial Systems Institute,
1

Infortech Corporation
1

Institute of Biochemistry and Biophysics LAN
1

Instituto Politecnico de Tomar
1

Internet Marketing Ninjas
1

Izzy Dot Net
1

KIEVLINE LLC
1

Krypt Technologies
1

Last Minute Gourmet
1

LeaseWeb USA, Inc. Los Angeles
1

LeaseWeb USA, Inc. Seattle
1

Limestone Networks, Inc.
1

MEVSPACE sp. z o.o.
1

MOJOHOST
1

MULTACOM CORPORATION
1

MUV Bilisim ve Telekomunikasyon Hizmetleri Ltd. Sti.
1

MadNET d.o.o.
1

Magyar Telekom plc.
1

Majestic Hosting Solutions, LLC
1

MegaNetServe Inc.
1

Mersa Host Datacenter Solutions
1

Missouri CASA
1

Mraknet s.r.o.
1

NForce Entertainment B.V.
1

NYITX
1

Natureware Inc.
1

Nerivon
1

Nessus GmbH
1

Netsons s.r.l.
1

Network Address for Servers
1

New Century InfoComm Tech. Co., Ltd.
1

Nida Telekomunikasyon Hizmetleri A.S.
1

Northern Neck Wireless Internet Services LLC
1

Ntirety, Inc.
1

OC1-DedicatedNow, LLC
1

ODS Joint Stock Company
1

OVH Dedicated Servers LIM
1

OVH Dedicated Servers LON
1

PAGI S.A.
1

PEG TECH INC
1

PNG Maritime College
1

PRIVATE JOINT STOCK COMPANY DATAGROUP
1

PT. Akashia Thuba Jaya
1

Perfect International, Inc
1

Performive LLC
1

Pingmar
1

Pinpointe On-Demand, Inc.
1

PowerWeb – Backbone Uplink2
1

QuickPacket, LLC
1

Rackspace Hosting
1

RapidSwitch Ltd
1

Rapidswitch
1

Ravand CyberTech Inc
1

Ravand Cybertech Inc.
1

Register.it Server
1

Ruprecht-Karls-Universitaet Heidelberg
1

SBA Edge, LLC
1

SERVERS
1

SIMCENTRIC-HK NETBLOCK
1

SPEED-NET S.R.L
1

STIADSL S.R.L
1

SUPPORNET INC.
1

Sagitta ApS
1

Saglayici Teknoloji Bilisim Yayincilik Hizmetleri Ltd. Sti.
1

Seflow s.r.l.
1

Sharktech
1

Sharq Telekom CJSC
1

Shenmiren Communications
1

Simtronic Technologies Pty Ltd
1

SingleHop
1

Slovak Technical University
1

SolidSpace LLC
1

Southern Broadband, LLC
1

State University of New York at Stony Brook
1

Supreme Court of the State of Florida
1

T-Mobile Austria GmbH
1

TELEFONICA DE ESPANA S.A.U.
1

TENET Scientific Production Enterprise LLC
1

Telecom Italia S.p.A.
1

The Montgomery Academy
1

Tourist Information Centres Ltd.
1

Tripnet AB
1

Turhost.com Dedicated Servers Network 1
1

UAB Informacijos labirintas
1

UAB Rakrejus
1

US Zenlayer FRA BMC
1

Ulm, Germany
1

UnReal Servers, LLC
1

UnionCOM Ltd
1

University of Ioannina
1

University of Macedonia
1

University of Pitesti
1

University of Virginia
1

Vargonen Teknoloji ve Bilisim Sanayi Ticaret Anonim Sirketi
1

Viettel Group
1

Vodafone Hungary Ltd.
1

Volia Cherkassy
1

Voxility S.R.L.
1

Wave Broadband
1

WebNX, Inc.
1

Webb Kooper AB
1

Webmad Webmarketing GmbH
1

WiLine Networks Inc.
1

Wnet Ukraine LLC
1

WorldStream IPv4.26
1

Xfernet
1

Yesilbir Bilisim Teknolojileri SAN.TIC.LTD.STI
1

Zemlyaniy Dmitro Leonidovich
1

Zerolag Communications, Inc.
1

eStruxture Data Centers Inc.
1

iWeb Technologies Inc.
1

kabelplus GmbH
1

myNET Internet Solutions
1

shannon hansen
1

ssd networks limited
1

za200.cz s.r.o.