- In 2021, VMware found several vulnerabilities that could be used to attack computers, and recently, hackers have been spotted using these same vulnerabilities in a new wave of attacks.
- Although patches were available for the 2-year-old vulnerability, malicious actors are suspected of targeting it once again to possibly execute commands remotely and infect machines.
- Although no OVHcloud services are impacted, OVHcloud published a reference which might help users who have been victims of this new wave of attacks.
VMware is a virtualization software company that allows users to run multiple operating systems on a single machine. The software allows users to create virtual machines, which are self-contained computers that can run their own operating systems. Back in 2021, VMware reported several vulnerabilities tracked as CVE-2021-21972 which already have updates and patches to combat it. Still, now hackers are suspected of deploying a new wave of attacks using the same vulnerabilities. These vulnerabilities include a CVSSv3 base score of 9.8, which is a remote code execution vulnerability.
Details on the vulnerability
Although no OVHcloud services are impacted, OVHcloud reports that since many customers are using this operating system on their own servers, it provided a reference to help users who might be affected. So far it has identified the following behavior from the vulnerability:
- The compromission vector is confirmed to use an OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dcui as involved in the compromission process.
- Encryption is using a public key deployed by the malware in /tmp/public.pem
- The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
- The malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.
- The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
- No data exfiltration occurred.
OVHcloud adds:
« In some cases, encryption of files may partially fail, allowing to recover data. Enes Sönmez (@enes_dev), a turkish security researcher has documented the procedure for recovery of VMDK files. The procedure is described on his blog (https://enes.dev/). We tested this procedure as well as many security experts with success on several impacted servers. The success rate is about 2/3. Be aware that following this procedure requires strong skills on ESXi environnements. Use it at your own risk and seek the help of experts to assist. »
Impacted Products
- VMware ESXi.
- VMware vCenter Server (vCenter Server).
- VMware Cloud Foundation (Cloud Foundation).
As usual, restricting IP access to trusted sources only and updating to the latest version of ESXi is a good way to help protect yourself from potential threats.