Ransomware gangs are evolving every day. The latest trend suggests that they are after the backup servers or machines that contain backed up data. Why? Because once these are compromised, their victims have no option but to pay the ransom. With a purview of this trend, ransomware operators are said to be exploiting two previously known vulnerabilities in VMWare ESXi logged under CVE-2019-5544 and CVE-2020-3992 to target their victims’ virtual hard disks.
The Two VMWare ESXi Vulnerabilities
In October 2020, a Reddit user reported a ransomware attack that encrypted nearly 200 virtual machines (VMs) at the datastore level in which a ransom note was found at the root of the datastores. The user further stated that since the VMWare ESXi management was not segregated from the VMs, and hence the attackers successfully encrypted the VMs.
Fast forward to January 2020. Another Reddit user found astounding evidence of Brazil’s Superior Justice Tribunal (SJT) being hit by a similar ransomware attack encrypting nearly 1,000 VMs with the exact ransom note. The sophistication of the attack was such that the attackers even went after disk backups. However, some old school tape backups remained untouched and saved the day for many.
On analyzing these attacks, researchers observed that in both the instances, the attackers used CVE-2019-5544 and CVE-2020-3992 vulnerabilities in VMware ESXi. ESXi is a solution that allows multiple virtual machines to share the same hard drive storage.
Dissecting the ESXi Ransomware Attack
The chronology of the ESXi ransomware attack:
- The attackers sent phishing emails to the target organization’s employees/users, of which three unknowingly fell prey by clicking and installing a Trojan.
- The attackers then escalated the privileges using CVE-2020-1472. The workstations had anti-virus protection, which at the time did not have this Trojan’s signature (it was released a few days later).
- The attackers gained access to hosts that had access to ESXi’s management subnet, as they already had Active Directory (AD) admin privileges.
- Without having to compromise vCenter, they were able to run arbitrary code on the ESXi hosts using CVE-2019-5544 or CVE-2020-3992.
- This led to the creation of an executable file (written in Python language) on ESXi hosts, which encrypted all the VMs.
Kaspersky, which named it as RansomEXX Trojan, gave a proof-of-concept of how this Trojan works. Click here for more info.
Researchers have found the following MD5 signatures in the attacks carried out, which all security teams need to note:
MD5 (svc-new/svc-new) = 4bb2f87100fca40bfbb102e48ef43e65MD5 (notepad.exe) = 80cfb7904e934182d512daa4fe0abbfbSHA1 (svc-new/svc-new) = 3bf79cc3ed82edd6bfe1950b7612a20853e28b0SHA1 (notepad.exe) = 9df15f471083698b818575c381e49c914dee69de
P.S.: svc-new/svc-new, a python script, was found inside the ESXi hosts, and the notepad.exe was found on the encrypted Windows servers.
But what if we told you that this ransomware can be avoided in the first place. Here are some suggestions:
- Disable the VMware CIM Server (It is enabled by default).
- Apply least privileges on your Active Directory administration.
- Segregate Admin and Domain admin accounts on Active Directory.
- Establish a Group Policy Object (GPO) set to log out users on inactivity instead of disconnecting them on remote desktop servers.
- Keep and monitor audit trails of Domain Admin accounts.
- Review backup routines. Have a master backup if possible and make sure they are segregated from regular backup. Even better, maintain an offsite read-only backup to make sure recovery is possible.
- Constitute an isolated network for ESXi/vCenter, which needs to have its access audited, using a jump server.
- Maintain IP access controls vCenter and ESXi.
- Remove vCenter Active Directory integration and maintain distinct passwords.
- Disable SSH on all ESXi hosts as a precautionary measure.
- Implement usage of canary files monitored by a SIEM.
- Use 2FA wherever possible, especially on admin accounts and high-priority accounts.
- Patch Windows Servers, workstations, ESXi servers, backup servers, vCenter frequently. Review failed patch reports and report immediately to the said service provider to assure all functions are up to date.