Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News

CISA, FBI release ESXiArgs ransomware virtual machine recovery guidance after publishing recovery script

February 09, 2023
CISA, FBI release ESXiArgs ransomware virtual machine recovery guidance after publishing recovery script

U.S. security agencies rolled out a joint Cybersecurity Advisory (CSA) on Wednesday in response to the ongoing ESXiArgs ransomware campaign. Hackers could be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. Furthermore, the ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.

The advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) identified that ESXiArgs hackers have compromised over 3,800 servers globally. CISA and FBI encourage organizations managing VMware ESXi servers to update servers to the latest version of VMware ESXi software, harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and ensure that the ESXi hypervisor is not exposed to the public internet. 

On Tuesday, the CISA released an ESXiArgs recovery script on GitHub that allows organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. 

“CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment,” it said on Tuesday. The agency “compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” according to the GitHub post.

The agency said that its CISA ESXiArgs script is based on findings published by the third-party researchers. “Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system,” the joint advisory added.

The CISA and FBI disclosed that open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. “The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.”

ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable, the advisory added. The full list of file extensions encrypted by the malware is – vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, and vmem.

“Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files,” the advisory said. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented automates the process of recreating configuration files.”

As part of its recovery guidance to organizations, the CISA-FBI advisory suggests quarantining or taking affected hosts offline to ensure that repeat infection does not occur, downloading CISA’s recovery script, and providing the script with execute permissions. It also recommends navigation to the folder of a VM that the organization would like to recover and running ‘ls’ to view the files, viewing files by running ‘ls,’ and running the recovery script. 

The advisory also suggests that if the script succeeded, re-register the VM. Lastly, it called for updating servers to the latest software version, disabling the SLP service, and ensuring that the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online. 

Although the CISA and FBI have not seen any evidence that the ESXiArgs ransomware hackers have established persistence, it calls upon organizations to review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity, and  review traffic from network segments occupied by the ESXi hosts and guests. It also considers restricting non-essential traffic to and from these segments.

The U.S. security agencies recommend that organizations temporarily remove connectivity for the associated ESXi server(s), upgrade their ESXi servers to the latest version of VMware ESXi software, harden ESXi hypervisors by disabling the SLP service, which ESXiArgs may leverage. It also suggests that the ESXi hypervisor is not configured to be exposed to the public internet.

The CISA-FBI advisory advised organizations to maintain offline backups of data, and regularly test backup and restoration, ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. It also suggests creating, maintaining, and exercising a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident. 

The guidance also included restricting Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB. It also suggests reviewing the security posture of third-party vendors and those interconnected with the organization, implementing allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs, and allowing user training programs and phishing exercises to raise awareness.

Last month, the CISA coordinated with the Homeland Security Systems Engineering and Development Institute (HSSEDI) to update the Best Practices for MITRE ATT&CK Mapping. The new version covers common analytical biases, mapping mistakes, and specific MITRE ATT&CK for ICS (industrial control systems), and changes made to the framework since CISA initially published the best practices in June 2021.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights