- Cloud7 reported on February 6th, 2023, how hostile actors used two-year-old VMware vulnerabilities, identified as CVE-2021-21972, to launch fresh attacks.
- With the help of the YoreGroup Tech Team, CISA has produced software that will allow businesses to attempt to recover corrupted virtual computers.
- Users are strongly recommended, as always, to upgrade their systems as quickly as possible to reduce the risk of exploitation.
On February 6th of 2023, Cloud7 reported that malicious actors were targeting the two-year-old VMware vulnerabilities, tracked as CVE-2021-21972, and launching new attacks. These vulnerabilities are targeted regardless of the fact that updates and patches to combat them are available. CVE-2021-21972 includes an exploit with a CVSSv3 base score of 9.8, a remote code execution vulnerability.
Impacted products were reported as VMware ESXi. VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation). A malicious actor with network access might take advantage of this flaw to execute commands with unrestricted capabilities on the underlying operating system that runs vCenter Server.
CISA and the YoreGroup Tech Team to the rescue
CISA has released a script allowing organizations to attempt to recover virtual machines infected with this attack. The GitHub page for the download reads:
« CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. »
OVHcloud also referenced the work of Enes Sonmez by saying:
« In some cases, encryption of files may partially fail, allowing to recover data. Enes Sönmez (@enes_dev), a turkish security researcher has documented the procedure for recovery of VMDK files. The procedure is described on his blog (https://enes.dev/). We tested this procedure as well as many security experts with success on several impacted servers. The success rate is about 2/3. Be aware that following this procedure requires strong skills on ESXi environnements. Use it at your own risk and seek the help of experts to assist. »
Enes Sonmez and Ahmet Aykac of the YoreGroup Tech Team recommend that before adopting CISA’s ESXiArgs recovery script, any business should carefully study it to decide if it is acceptable for their environment. They also clarify that the script attempts to build new config files that allow access to the VMs rather than destroy the encrypted config files.
CISA clarifies that while it attempts to guarantee that scripts like this one are safe and functional, they are offered without any warranties and CISA does not accept any responsibilities if the script causes any harm.
As always, users are strongly advised to upgrade their systems as soon as possible to limit the risk of exploitation. To further guard against these exploits, best network security practices should be followed, as well as keeping all systems up to date with the latest security patches.
How to use the script
You can scroll down to the “Usage” section of the GitHub download page as well as the official guide from the YoreGroup Tech Team, to get a detailed explanation of how to use the script.