What Is Continuous Threat Exposure Management (CTEM)?

Huseyin Can YUCEEL | February 23, 2023
In the first week of February 2023, CISA, FBI, and CERT-FR published security advisories on ESXiArgs ransomware that exploits known vulnerabilities in unpatched VMware ESXi servers [1][2]. CISA estimates that more than 3800 servers are infected, mainly located in France, Germany, the US, Canada, and the Netherlands.
Picus Threat Library already had attack simulations for vulnerabilities exploited by the ESXiArgs ransomware. In this blog, we explain how ESXiArgs ransomware works and how threat actors abuse these vulnerabilities for ransomware attacks.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
ESXiArgs ransomware is a ransomware variant that mainly targets organizations using unpatched or end-of-life (EOL) versions of VMware ESXi servers. ESXiArgs ransomware attacks were first observed in October 2022, and the number of attacks dramatically increased in February 2023. The ransomware threat actors mainly target organizations in France, Germany, the United States, Canada, and the Netherlands.
There are multiple ransomware variants that are named ESXiArgs ransomware. These variants show similar traits.
ESXiArgs ransomware exploits an unauthenticated remote code execution vulnerability discovered two years ago. CVE-2021-21972 affects ESXi versions given below and has a CVSS score of 9.8 (Critical).
Affected Product |
Vulnerable Versions |
Patched Versions |
VMware ESXi |
version 7.x version 6.7.x version 6.5.x |
version 7.0U1c or later version 6.7U3l or later version 6.5U3n or later |
Although exploiting CVE-2021-21972 was not the only initial access method, the common initial access vector observed in ESXiArgs ransomware attacks was VMware ESXi servers. For this reason, organizations are recommended to:
We also strongly suggest simulating ESXiArgs ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as BlackByte, Maui, and Zeppelin, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for ESXiArgs ransomware:
Threat ID |
Threat Name |
Attack Module |
93000 |
ESXi Args Ransomware Download Threat |
Network Infiltration |
57787 |
ESXi Args Ransomware Email Threat |
Email Infiltration (Phishing) |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address ESXiArgs ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for ESXiArgs ransomware:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
09CB1BEA6 |
Ransomware.Linux.ESXiArgs.TC.3b5aJOSg |
Cisco Firepower |
Auto.11B1B2.261543.in02 |
|
Forcepoint NGFW |
File_Malware-Blocked |
|
Fortigate AV |
10123319 |
Python/ESXiArgs.VMVS!tr.ransom |
Fortigate AV |
10123245 |
ELF/Filecoder.85D3!tr.ransom |
Palo Alto NGFW |
571137464 |
trojan/Linux.uselvb423.a |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "ESXiArgs Ransomware Virtual Machine Recovery Guidance." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa23-039a. [Accessed: Feb. 23, 2023]
[2] "[MàJ] Campagne d'exploitation d'une vulnérabilité affectant VMware ESXi – CERT-FR." [Online]. Available: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/. [Accessed: Feb. 23, 2023]