[MART] - Daily Diary #362 - Python Ransomware Script Targets ESXi Server

CTAS-MAT ctas-mat at appgate.com
Tue Oct 5 21:02:16 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/05/2021 - Diary entry #362:


During a recent attack, a custom Python malware was discovered, targeting VMWare ESX hypervisor to encrypt all the virtual disks, effectively shutting down the organization's Virtual Machines. In this very quick attack, the threat actors spent around three hours on the target's network before encrypting the virtual disks in a VMware ESXi server.


The initial access was obtained by compromising a TeamViewer account that didn't have multi-factor authentication configured. TeamViewer is a legitimate remote access software, which in this attack, was running in the background on a computer that belongs to a user with a privileged account in the target's network.


Next, they downloaded and executed a tool called "Advanced IP Scanner" to enumerate other targets on the same network. With those other targets, the attackers logged in to a VMware ESXi server using an SSH client called Bitvise, where they luckily found an ESXi Shell enabled - which was not supposed to be enabled by default.


Finally, the attackers deployed a Python script on the ESXi datastore, containing the virtual disk images used by the VMs that run on the hypervisor. After shutting down all of them, it then encrypts, overwrites, and deletes the original datastore volumes. Each datastore was encrypted via the open-source tool "openssl", using different unique key pairs.


Hypervisors are highly valuable targets since they run critical services within a company, as we covered in some Daily Diaries (such as HelloKitty on Daily #305, Sodinokibi on #294, and RansomExx on #199) this is not the first time a Ransomware gang targets ESX servers. Therefore, it is important to enhance security measures, and ensure that dangerous features are disabled after their usage, like the ESXi Shell in this attack.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211005/a2243940/attachment.htm>

More information about the MART mailing list