VMSA-2021-0002 and cryptlocker nevada

Thanks for sharing this.   Made my VMware team aware. 👍🏼

Thanks for the heads up @BertrandFR 

Fresh article in english from OVH:

Ransomware targeting VMware ESXi  - OVHcloud Blog

Edit1: Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi – CERT-FR (ssi.gouv.fr) use translate from browser sorry :(

Update: Not officially confirmed maybe NVD - CVE-2022-31699 (nist.gov) and/or VMSA-2022-0030 (vmware.com) have been used too.

be aware of the weekend's news.

I received a call 15 min ago. One of my customers was attacked

Will be interesting to get all the details. VMSA-2021-0002 is over 2 years old and all environments should already have received the patches.

Having used OVH in the past, they put the VMKernel onto WAN by default with management enabled, and how I wish people would secure that 😔 even outside ESXi you can enable OVH’s firewall to block external access to this except via specific IP addresses.

Feels like their deployment templates should at least be trying to default restrict access to the ESXi management to a smaller scope than the whole web 😆

Unfortunately most people using services like OVH aren’t then using any shared storage between the hosts, so they’re less likely to have a vCenter managing them, if they have multiple, and even less likely to do proper patching as a result as it’d be bringing all VMs down

Only dedicated hosts have been impacted, indeed the security of the machines is the responsibility of the customer… Another good example that the cloud is not magic.

Any hoster like OHV should at least apply security best practices and scan the customer environments for vulnerabilities. At least that's my opionion as I wouldn't want to host spam relays, botnets, etc.

Thx for sharing @BertrandFR !

Not sure it will cost money, nothing is free...

Well, CVEs was from February 2021 and patched since that month.

Only ESXi > 6 and < 6.7.

It use an open port 427, so only the servers exposed on the WAN on that port are vulnerable to this worldwide attack.

For those infected, a researcher has created a guide to recover encrypted VMs:

On this link there’s a detailed tech analisys on this type of attack.

For people in the need to decrypt your vmdk affected by CVE-2020-3992 you could use the tuto linked by @marcofabbri https://enes.dev/

But be careful there are some new variants:
https://www.helpnetsecurity.com/2023/02/06/nevada-ransomware-upgraded-locker/

Resecurity has identified a new version of Nevada ransomware which recently emerged on the Dark Web right beore the start of 2023

Well, we are all good for patching for this one which is a relief.  😁

Hosting vulnerable software and applying bad security pratices damages your reputation and therefore also costs money 😉

Here's a short response from VMware on the attacks: https://blogs.vmware.com/security/2023/02/83330.html

VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed

So to summarize.

• Don't leave critical vulnerabilities unpatches
• Don't use End of Life software
• Don't open critical services to the internet

More here: https://www.theregister.com/2023/02/06/esxi_ransomware_campaign/

CISA has made a decryption tool available here: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script

Came here to share this, you beat me to it 👏

As for OVH’s reputation @regnor, you saw the massive DC fire the other year right? 😬

fyi

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread (darkreading.com)