Security researchers warn of a widespread ESXiArgs ransomware campaign exploiting CVE-2021-21974 in VMware ESXi, with warnings issued starting February 3. SecurityScorecard’s STRIKE and ASI analyses reveal affected ESXi versions and IPs involved in potential exploitation, plus guidance to patch and reduce exposure. #ESXiArgs #VMwareESXi
Keypoints
- ESXiArgs is a ransomware campaign exploiting CVE-2021-21974 in VMware ESXi, with patches available since February 2021.
- Initial attribution debates included OVH linking to the Nevada group, but attribution was retracted; ESXiArgs is tracked separately from Nevada, with other groups (Royal, Black Basta, LockBit, etc.) also observed targeting ESXi in different years.
- Attack Surface Intelligence (ASI) indicates ESXi is widely deployed, detected at 139,491 IP addresses globally.
- STRIKE used ASI and global netflow to identify potentially affected IPs (France, Italy, UK) and to collect traffic samples to identify ESXiArgs activity.
- Netflow analysis highlighted specific IPs (e.g., 161.47.17[.]28) as most likely reflecting ESXiArgs activity and found overlaps with prior ransomware investigations across several IPs.
- Recommendations include applying patches, deactivating OpenSLP if patching isn’t possible, maintaining backups, limiting exposure, and monitoring network traffic.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of a VMware ESXi vulnerability CVE-2021-21974 to spread ransomware. Quote: ‘exploiting CVE-2021-21974, a VMWare ESXi vulnerability’
- [T1486] Data Encrypted for Impact – The ransomware encrypts files and creates a file with a .args extension after encryption. Quote: ‘creates a file with a .args extension once it encrypts a file’
- [T1046] Network Service Discovery – Attack Surface Intelligence (ASI) identifies IP addresses and ESXi versions to locate potentially affected assets. Quote: ‘Attack Surface Intelligence (ASI) results to identify IP addresses from which to collect a sample of traffic that may reflect ESXiArgs activity’
- [T1071] Command and Control – Netflow analysis shows communication between target IP addresses and infrastructure involved in the exploitation. Quote: ‘communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability’
Indicators of Compromise
- [IP Address] Potential ESXiArgs activity – 161.47.17[.]28, and 2 more IPs (observed in samples across French, Italian, and British targets)
- [IP Address] Overlaps with prior ransomware activity – 143.198.7[.]33, 159.89.246[.]130, and 2 more IPs
- [IP Address] Additional suspected addresses linked to VirusTotal/previous investigations – 159.89.188[.]11, 41.94.22[.]2, and 2 more IPs