Threat Research

Technical Advisory: Immediately Patch Your VMware ESXi Servers Targeted by Opportunistic Threat Actors

Securonix

Bitdefender researchers describe opportunistic threat actors abusing CVE-2021-21974 to target VMware ESXi, leveraging OpenSLP (port 427) for pre-auth remote code execution and deploying ESXiArgs ransomware against VM files. The advisory covers attack patterns, observed payloads, detections, and recommended mitigations for internet-exposed ESXi hosts. #CVE-2021-21974 #OpenSLP #ESXiArgs #VMwareESXi #ProxyHell #SupplyChain

Keypoints

  • Exploitation of CVE-2021-21974 via OpenSLP on ESXi to achieve remote code execution on exposed hosts.
  • Hybrid attack pattern combines automated exploitation with a manual follow-up phase, potentially leveraging compromised smaller entities as supply-chain footholds.
  • OpenSLP service (port 427) is vulnerable and widely exposed; discovery and exploitation can bypass authentication.
  • Observed payloads center on ESXiArgs ransomware targeting VM-related files, with CISA providing recovery scripts.
  • Mitigations include blocking port 427, disabling OpenSLP, patching/upgrading, and enhancing detection/response and risk management.
  • Detections emphasize integrity monitoring and multi-layer defense, plus threat hunting to uncover hidden actors.

MITRE Techniques

  • [T1210] Exploitation of Remote Services – The ESXi OpenSLP vulnerability CVE-2021-21974 was exploited to gain pre-auth remote code execution on exposed ESXi hosts. “an easily exploitable pre-authorization remote code execution vulnerability.”
  • [T1046] Network Service Scanning – Attacks involve scanning for vulnerable VMware ESXi servers with SLP enabled to identify targets. “scanning for vulnerable VMware ESXi servers with SLP enabled.”
  • [T1195] Supply Chain Compromise – Hybrid attacks begin with opportunistic exploits and a compromised small company or contractor can be part of the supply chain for a larger organization. “a compromised small company or contractor can be part of the supply chain for a much larger corporation.”
  • [T1505.003] Web Shell – Initial access brokers can deploy a remote webshell to maintain footholds. “Initial access brokers can deploy a remote webshell.”
  • [T1562.001] Impair Defenses – Threat actors may disable security measures such as the SLP service to hinder others from exploiting the vulnerability. “disable SLP service to prevent other threat actors from exploiting the same vulnerability.”
  • [T1486] Data Encrypted for Impact – ESXiArgs ransomware targets VM files with extensions like *.vmdk, *.vmx, *.vmxf, etc. “ESXiArgs ransomware is targeting virtual machine files with extensions …”
  • [T1059.006] Python – Payload includes Python scripts (Python script (.py)) used in ESXiArgs operations. “Python script (.py)”
  • [T1059.004] Unix Shell – Payload includes shell scripts (Shell script (.sh)) used in ESXiArgs operations. “Shell script (.sh)”

Indicators of Compromise

  • [SHA256 Hash] ESXiArgs payload artifacts – 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66, 773d147a031d8ef06ee8ec20b614a4fd9733668efeb2b05aa03e36baaf082878 and 3 more hashes

Read more: https://businessinsights.bitdefender.com/technical-advisory-immediately-patch-your-vmware-esxi-servers-targeted-by-opportunistic-threat-actors