Vulnerabilities in VMWare ESXi are exploited to encrypt virtual disks

ZDNet warns that at least one hack group is using vulnerabilities in VMWare ESXi to attack virtual machines and then encrypt virtual disks. For the first time, such attacks were noticed last fall, and then they were associated with the activity of the RansomExx malware operators.

Several information security experts, with whom the journalists spoke, believe that the criminals are abusing the CVE-2019-5544 and CVE-2020-3992 bugs found in VMWare ESXi. As a reminder, this solution allows multiple virtual machines to share the same hard disk storage.

Both of the above vulnerabilities are related to the SLP protocol, which is used by devices on the same network to discover each other. In essence, bugs allow hackers on the same network to send malicious SLP requests to an ESXi device and take control of it.

For example, RansomExx operators gained access to a device on the corporate network and then used it to further attacks on local ESXi instances and encrypt virtual hard disks used to store data from different virtual machines. Attacks like these can cause a true chaos in a company, as ESXi virtual disks are typically used to centralize data from many other systems.

Information about such incidents has appeared more than once on Reddit, Twitter, and the attacks were mentioned by experts at information security conferences.

“Ransomware group using them to bypass all Windows OS security, by shutting down VMs and encrypting the VMDK’s directly on hypervisor. They’re pre-auth RCE bugs you can exploit from other appliances (eg VPN firewalls at border). A better way to do it would be to mount NTFS volumes in VMDK files of AD servers and modify GPO to distribute wares, but I don’t think attackers near that ability”, — for example, told the information security specialist Kevin Beaumont.

It is reported that at least one group, RansomExx (aka Defray777), uses such a trick, but last month the authors of the Babuk Locker ransomware also mentioned similar functions in their malware, although no confirmed attacks have yet been found.

System administrators using VMWare ESXi are advised to install patches, or disable SLP support to prevent attacks if the protocol is not used.

Let me remind you that we talked that VMware patches 0-day vulnerability discovered by NSA, as well as about the fact that OSR specialists released an unofficial patch for NTFS bug in Windows 10.