
ESXiArgs: The Consequences of Infection
ESXiArgs is a ransomware strain that has been reported to have infected over 3000 hosts in several countries, including France, Germany, the Netherlands, the U.K., and Ukraine. The ransomware is suspected to be based on the leaked Babuk ransomware code and is believed to be targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.
Indicators of Compromise
Domains (8)
httpnevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onionnevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onionaazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.oniondanimos.comgerhiles.comzedorocop.comnorthwave-security.combruteratel.comHashes (47)
1396ab93e9104faaf138ac64211471ba709ba88e758454f097959c3e62997000fb5dcf0b880b57b10a2093f164f2ed27f1f569c6e4f961007f7411fca131bbe05a9448964178a7ad3e8ac509c06762e418280c864c1d3c2c4230422df2c6672299549bcea63af5f81b01decf427519af7f0ea6e4d18ac0c1051e7366c367b01c08e75afd17fc20df301c5b95373eb34f17eccc7e2ce38dafd41d68861da636d7c05290b95d4fd75ec87b819094702cf6bdb4f2b6e44e97f989f3141bc1a35d5fed9e1a6721e851a72a5fcc05f3b314944f7d97bf4803bf1b15c5bec85af3dc8b7619fe5cfe019f760c9a25b1650f4b7c62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b14d53c3d675458863ee2b336a4203f680932181ff5db99bb2f1640ffd44947b59fce9ee85516533bae34fc1184a7cf31fa9f2c7889b13774f83d1df5617088330165ff14fa840c0074a7ee5108858f8d2bee3f716b80273db9639376a296cf19cdba0f1a69d12572520122cb9bddc2d6793d97ab7a39324822941014609f0fd7d05f1adbbccc3f36d79103e2589251680f3b6c63f78fdb894624b1388c1c3ec1600273d12d721da5171151d6606a625acf36ac30319704f093b71286985716d87c6fb20d6ddc334be6f1ccc042de8c73f7f5df36+27 moreIPv4 (177)
189.19.189.22271.10.27.196181.118.183.12368.53.110.7468.151.196.147109.200.165.82154.238.151.19772.88.245.7168.50.190.5578.182.113.80181.231.229.133181.81.116.14464.207.215.6931.166.116.171177.255.14.9981.214.220.237154.181.203.23085.114.110.10899.232.140.205138.0.114.166+157 moreCVEs (1)
CVE-2021-21974Mitigation
<div><font color="#333333"><b style=""><font>Mitigations </font><font><a href="https://www.cisa.gov/uscert/ncas/alerts/aa23-039a">REF</a></font></b></font></div><div><font color="#333333"><b><br></b></font></div><div><font color="#333333"><b>Note</b>: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see <a href="https://www.cisa.gov/cpg">cisa.gov/cpg</a>.</font></div><div><font color="#333333"><br></font></div><div><font color="#333333">CISA and FBI recommend all organizations: </font></div><div><font color="#333333"><br></font></div><div><ul><li><font color="#333333">Temporarily remove connectivity for the associated ESXi server(s).<br></font></li><ul><li><span style="color: rgb(51, 51, 51);"><font><b>Upgrade your ESXi servers to the latest version of VMware ESXi software</b> <a href="https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf">[CPG 5.1]</a>. ESXi releases are cumulative, and the latest builds are documented in VMware’s article, Build numbers and versions of VMware ESXi/ESX.</font></span></li><li><span style="color: rgb(51, 51, 51);"><font><b>Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service</b>, which ESXiArgs may leverage. For more information on executing workarounds, see VMware’s guidance <a href="https://kb.vmware.com/s/article/76372">How to Disable/Enable the SLP Service on VMware ESXi</a>. </font></span></li><li><span style="color: rgb(51, 51, 51);"><b><font>Ensure your ESXi hypervisor is not configured to be exposed to the public internet.</font></b></span></li></ul></ul></div><div><font color="#333333"><br></font></div><div><font color="#333333">In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.</font></div><div><font color="#333333"><br></font></div><div><font color="#333333"><b>Preparing for Ransomware</b></font></div><div><font color="#333333"><br></font></div><div><ul><li><font color="#333333">Maintain offline backups of data, and regularly test backup and restoration <a href="https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf">[CPG 7.3]</a>. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.</font></li><li><font color="#333333">Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.</font></li><li><font color="#333333">Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident<a href="https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf"> [CPG 7.1, 7.2]</a>.</font></li></ul></div><div><font color="#333333"><b><br></b></font></div><div><font color="#333333"><b>Mitigating and Preventing Ransomware</b></font></div><div><font color="#333333"><b><br></b></font></div><div><ul><li><font color="#333333">Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.</font></li><li><font color="#333333"><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf">Require phishing-resistant MFA</a> for as many services as possible <a href="https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf">[CPG 1.3]</a>—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.</font></li><li><font color="#333333">Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.</font></li><li><font color="#333333">Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.</font></li><li><font color="#333333">Open document readers in protected viewing modes to help prevent active content from running.</font></li><li><font color="#333333">Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.</font></li><li><font color="#333333">Use strong passwords <a href="https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf">[CPG 1.4]</a> and avoid reusing passwords for multiple accounts. See CISA Tip <a href="https://www.cisa.gov/tips/st04-002">Choosing and Protecting Passwords</a> and the NIST’s <a href="https://csrc.nist.gov/publications/detail/sp/800-63b/final">Special Publication 800-63B: Digital Identity Guidelines</a> for more information.</font></li><li><font color="#333333">Require administrator credentials to install software <a href="https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf">[CPG 1.5]</a>.</font></li><li><font color="#333333">Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind [CPG 1.5].</font></li><li><font color="#333333">Install and regularly update antivirus and antimalware software on all hosts.</font></li><li><font color="#333333">Consider adding an email banner to messages coming from outside your organizations.</font></li><li><font color="#333333">Disable hyperlinks in received emails.</font></li><li><font color="#333333"><b>Consider participating in CISA’s no-cost</b> <a href="https://www.cisa.gov/ais">Automated Indicator Sharing (AIS)</a><a href="https://"> </a>program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. </font></li></ul></div><div><br></div>