Ransomware operators are known to exploit various vulnerabilities, especially in campaigns against enterprises and organizations. Such is the case with two vulnerabilities in the VMWare ESXi product, included in the attacks of at least one prominent ransomware gang.
These attacks are linked to the group behind the RansomExx ransomware.
RansomExx was analyzed in November last year by Kaspersky researchers when they came across attacks targeting Linux systems. The team discovered a 64-bit ELF executable designed to encrypt data on Linux-running machines.
The analysis showed that the ransomware shared many similarities with a previously known family called RansomExx, proving that the ransomware received a Linux build. RansomExx targets large corporations and is considered “a highly targeted Trojan.”
RansomExx operators are using VMWare bugs CVE-2019-5544 & CVE-2020-3992
New research now suggests that RansomExx operators are now utilizing CVE-2019-5544 and CVE-2020-3992 in VMware ESXi. This VMWare device is a hypervisor allowing multiple virtual machines to share the same hard drive storage. Interestingly enough, we wrote about one of these two flaws in November, when the official security bulletin was made public. The CVE-2020-3992 vulnerability was discovered in the OpenSLP feature of VMware ESXi.
ESXi is a hypervisor that utilizes software to partition processors, memory, storage, and networking resources into multiple VMs (virtual machines). This flaw was caused by the implementation of OpenSLP in ESXi, causing a use-after-free (UAF) issue. UAF vulnerabilities typically stem from the incorrect utilization of dynamic memory during a program’s operation. More specifically, If a program does not clear the pointer to the memory after freeing a memory location, an attacker can exploit the bug.
As for CVE-2019-5544, “a malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution,” VMWare explained in the advisory.
The two flaws could aid an attacker on the same network to send malicious SLP requests to a vulnerable ESXi device. The attacker could then gain control over it.
There are indications that the Babuk Locker ransomware gang is also carrying out attacks based on a similar scenario. However, these attacks haven’t been confirmed yet.
What should sysadmins do to avoid any attacks?
If your company is utilizing the VMWare ESXi devices, you should apply the patches addressing the two flaws immediately. Another way to prevent exploits is to disable SLP support.