Security Advisory: ESXiARGS Ransomware for Older VMware Patches

ESXiARGS featured
ESXiARGS ransomware banner

To all VMware ESXi server users, we would like to spread awareness that businesses currently using older patches of ESXi are at risk of being hit by new ransomware attack, ESXiARGS. The ransomware attack specifically targets vulnerabilities within the older ESXi patches to easily infiltrate your system. If your business is currently using the following versions, we strongly urge you to update:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

What is ESXiARGS Ransomware?

ESXiARGS ransomware definition

ESXiARGS is a type of ransomware that targets virtual machines running on VMware vSphere infrastructure. The ransomware is designed to encrypt all of the virtual machines on a target’s network, rendering them inaccessible until a ransom is paid. Unfortunately, paying the ransom doesn’t guarantee that the attacker will give you the decryption key.

How ESXiARGS Ransomware Works

ransomware how it works

ESXiARGS ransomware works by exploiting vulnerabilities in the VMware vSphere infrastructure. Once the attackers gain access to the virtual machines, they install the ransomware, which encrypts all of the data on the virtual machines. The attackers then demand payment in exchange for the decryption key, which will allow the victim to regain access to their data.

Protecting Your Business from ESXiARGS Ransomware

ESXiARGS defense

In the event that you are unable to update immediately, there are several steps you can take to protect your business from ESXiARGS in the meantime. First and foremost, it is important to keep your systems up to date with the latest security patches and updates. Additionally, you should implement a strong password policy and ensure that all employees are trained on cybersecurity best practices. Regular backups of your data can also help you to recover quickly in the event of a ransomware attack.

Responding to an ESXiARGS Ransomware Attack

business safety

In the unfortunate event that your business is targeted by an ESXiARGS ransomware attack, it is important to have a plan in place to respond. Your first step should be to isolate the infected systems to prevent the ransomware from spreading further. Then, you should contact law enforcement and a cybersecurity expert to help you to recover your data and regain control of your systems.

ESXiARGS ransomware attacks are a serious threat to businesses of all sizes. The above suggestions can help you lessen the risk of infection of ESXiARGS but will not ensure your business’ safety. Again the best way to ensure your business’ security is to update your VMware ESXi version to the latest patch. We once again implore you to plan your update as soon as possible.

Contact us at marketing@www.ctlink.com.ph if you would like to consult us on your VMware update and measures to take before the update.

Security Advisory: Multiple Microsoft Exchange exploits being used by Threat Actor Hafnium

Security Advisory: Multiple Microsoft Exchange exploits being used by Threat Actor Hafnium

Microsoft has recently just announced a security update with regards to a set of new exploits found being primarily used by a state-sponsored threat actor based in China which Microsoft has called Hafnium. The previously unknown exploits used by Hafnium targets on-premise exchange server software to gain initial access to the network by disguising themselves as someone with access privilege. They then create what is known as a web shell to gain control over the compromised server remotely, making it easy to steal data.

Affected Servers and the Remediation

The exploits used by Hafnium targets Microsoft Exchange Servers, so users of Microsoft Exchange Online are not affected. Below are the versions that can be targeted by the exploits:

  • Microsoft Exchange Server 2013 
  • Microsoft Exchange Server 2016 
  • Microsoft Exchange Server 2019

Microsoft highly recommends that businesses with the affected Exchange servers immediately update them with the latest security updates to ensure protection against the exploits. If you are unable to immediately do so for all servers, Microsoft has said that you need to first prioritize external facing servers as they are the most vulnerable to these attacks but ultimately you would need to update them all to stay safe. Listed below are the security patches released by Microsoft for each exploit:

Is it possible to check if I have been already affected by these exploits?

Microsoft has released a detailed guide on ways to check you network logs to see if you have been affected, you may refer to this link if you would like to read more on it.

Security Advisory: Vulnerabilities found on DHCP and Microsoft Exchange

Security Advisory: Vulnerabilities found on DHCP and Microsoft Exchange

Microsoft released patches for vulnerabilities that were actively being exploited via their regular security release on the last few months of 2018. They released 49 security patches and two advisories for 2019, seven were vulnerabilities rated as critical while 40 were important.

The highlight of these vulnerabilities is regarding to Windows DHCP Client (CVE-2019-0547), this allows a hacker to send commands on a machine by issuing DHCP responses. Alarmingly, most machines have DHCP client enabled across all windows operating systems, therefore applying this patch is a must. Another notable vulnerability is in the Microsoft Exchange software (CVE-2019-0586), this vulnerability could allow hackers to execute code as the system users and potentially can perform various tasks such as view, change, or delete data and even create new accounts.

Luckily for Trend Micro Customers specifically for Deep Security and Tipping point customers, Trend Micro has released virtual patch rules to protect you on those vulnerabilities immediately. While testing on the security patches released by Microsoft, Trend Micro customers can first apply virtual patch rules to eliminate exposure against possible attacks.  Please see below for the recommended virtual patches:

Trend Micro Deep Security and Vulnerability Protection recommended virtual patch rules are as follows:

  • 1009452-Microsoft Windows COM Elevation Of Privilege Vulnerability (CVE-2018-8550)
  • 1009462-Microsoft Edge Elevation Of Privilege Vulnerability (CVE-2019-0566)
  • 1009463-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0539)
  • 1009464-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2019-0541)
  • 1009465-Microsoft Edge Memory Corruption Vulnerability (CVE-2019-0565)
  • 1009466-Microsoft Windows Multiple Security Vulnerabilities (Jan-2019) – 2
  • 1009468-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0567)
  • 1009469-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0568)

Trend Micro Tipping Point MainlineDV filters to be applied are as follows:

  • 33921: ZDI-CAN-7385: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 33927: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 33928: HTTP: Microsoft Edge Session Boundary Memory Corruption Vulnerability
  • 33929: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 33930: HTTP: Microsoft Edge Use-After-Free Vulnerability
  • 33931: HTTP: Microsoft Windows Kernel Information Disclosure Vulnerability
  • 33948: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 33949: HTTP: Microsoft Internet Explorer ProgId Code Execution Vulnerability

If you have any further inquiries with regards to these vulnerabilities with Trend Micro or as a non-Trend Micro user, contact us at 893-9515 and we would be happy to answer your inquiries!