More than 18,500 ESXi servers still vulnerable to VMware bug behind initial ransomware spree

Multiple warnings from several of the biggest cybersecurity agencies in the world over the last week have not motivated some organizations to patch a security issue being exploited as part of the ESXiArgs ransomware campaign.

Cybersecurity firm Rapid7 said its Project Sonar telemetry showed that 18,581 VMware ESXi servers are still vulnerable to CVE-2021-21974 — a 2-year-old vulnerability being exploited by unknown cybercriminals. VMware issued a patch soon after the bug was discovered.

The situation has stayed in the headlines over the last week and caused ransomware infections at more than 3,800 organizations across the United States, France, Italy and more. According to a Reuters analysis, the victims included Florida’s Supreme Court, the Georgia Institute of Technology, Rice University and several schools in Hungary and Slovakia.

But as of Thursday evening, Rapid7 said there are still at least 18,581 vulnerable internet-facing ESXi servers. The company used Project Sonar to conduct an internet-wide survey of more than 70 different services and protocols “to gain insights into global exposure to common vulnerabilities.” Rapid7 did not offer data about how many organizations are still exposed.

“We have also observed additional incidents targeting ESXi servers, unrelated to the ESXiArgs campaign, that possibly also leverage CVE-2021-21974. RansomExx2 — a relatively new strain of ransomware written in Rust and targeting Linux has been observed exploiting vulnerable ESXi servers,” Rapid7’s Erick Galinkin explained.

Tony Lauro, director of security technology and strategy at Akamai, urged organizations to update their servers to the latest version of ESXi software, disable the Service Location Protocol service that is affected by the vulnerability and ensure the ESXi hypervisor is not exposed to the public internet. Hypervisor software is used to create and manage virtual machines on servers, making it a potentially powerful tool for intruders.

Most victims have reported seeing a ransom note asking for $50,000 worth of Bitcoin — a relatively small amount compared to the typical ransoms demanded by cybercrime groups. 

“While the dollar impact of this particular breach may seem low, cyber attackers continue to plague organizations via death by a thousand cuts,” Lauro said. 

“The ESXiArgs ransomware is a prime example of why system administrators need to implement patches quickly after they are released, as well as the lengths that attackers will go to in order to make their attacks successful. However, patching is just one line of defense to rely on.”

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a decryptor for organizations affected by the ESXiArgs ransomware.

But by Wednesday evening, BleepingComputer reported that the actors behind the ESXiArgs campaign had modified the ransomware so that the CISA-issued decryptor no longer worked on freshly infected machines. 

Ransomware research project Ransomwhere said 1,252 servers have been infected by the new version of ESXiArgs.

"Of these, 1,168 are reinfections. The new version now represents 83% of live infections," they said.

Based on more complete Censys and Shodan data:

• A total of 1,252 servers have been infected by the new version of ESXiArgs
• Of these, 1,168 are reinfections
• The new version now represents 83% of live infections

Patch and/or disconnect ESXi ASAP if you have not already.

— Ransomwhere (@ransomwhere_) February 9, 2023

In addition to the new strain of ESXiArgs being used in attacks, some cybersecurity experts said they are seeing incidents that do not involve the exploitation of CVE-2021-21974.

Scott Walsh, senior security engineer at cyber insurance firm Coalition, said that in this second wave of attacks, there is increasing skepticism that CVE-2021-21974 is the attack method because there are multiple reports of compromises that occurred without the underlying service with the CVE being exposed. 

“These hosts are being exploited in some other way, and it’s surprising that it is taking this long to determine the root cause and what is actually happening,” he said. 

“This kind of attack was bound to happen – these services should never be on the internet. The internet-exposed VMware ESXi management interfaces are an incredibly high-value target for attackers because they could provide access to hundreds (or thousands) of hosted virtual machines with one exploit, potentially debilitating an organization if attackers can deny access.”