Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
What it takes to convince leadership that migrating to the cloud is the right move.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
On July 17th 2021, a post was made to the website “Bleeping Computer” regarding a recent ransomware attack on VMWare ESXI version 7 servers. This ransomware group named “Hello Kitty” was responsible for the attack on the video game company “CD Projekt RED”, where they stole the source code for their games and uploaded them to their leak site. Other ransomware variants have also attacked ESXI servers in the past, using a Linux encryptor to encrypt data. According to a blog from “Truesec”, there are different ways to attack these servers, the main one being a Remote Code Execution (RCE) vulnerability that dates back to October of 2020. VMWare posted an advisory to their site regarding this vulnerability and gave it the ID of “VMSA-2020-0023.3”. According to VMWare the patches released on October 20, 2020 did not address the vulnerability (CVE-2020-3992) and other updates to remediate still need to be installed.
According to the advisory from VMWare, if port 427 is open on the management network, a malicious actor in the network may be able to trigger what is called a use-after-free OpenSLP service. This service has been exploited in multiple vulnerabilities so it is not the first time this has been seen in the wild. SLP stands for “Service Location Protocol” and is used to query a device’s service and location by making a service request, and specifying the service it wants to look up by querying a URL. For example one URL may look like:
“service:VMwareInfrastructure://localhost.localdomain”.
According to Expert Researcher Johnny Yu, a service request packet looks like this:
Trend Micro Expert Lucas Leong found the original bug, which is located in the “SLPParseSrvURL” function, which, gets called when a “directory agent advertisement’ message is processed:
When the bug is taken advantage of, attackers can execute what is called a “Heap Overflow” which looks like this:
This causes a space in memory to become unallocated, so that an attacker can then send remote code to the ESXI server via port 427. From there they can upload any files they want to.
ESXI servers are based off of a Linux distribution. As a result, the ransomware group Hello Kitty uses this bug to upload the Linux Encryptor where they can execute the code and encrypt all the data on these servers.
According to Malware Hunter Team, Hello Kitty was already using the Command Line interface of ESXI to stop VMs as well:
When the servers are encrypted, Hello Kitty leaves a ransom note behind:
The following has been identified as IoC’s of the Hello Kitty Ransomware:
SHA-1: fadd8d7c13a18c251ded1f645ffea18a37f1c2de
SHA-256: 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe
Are you ready for the next phase of work? Download the CIO’s Guide to Security in the New Hybrid Workforce to read tips for the future.
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.