Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

ESXiArgs VMware Ransomware

Avatar photoByDetecteam 2023-06-132023-06-13

TLP

TLP CLEAR

Author

Jordi Lobo

Summary

ESXiArgs VMware Ransomware: Massive VMware: Ransomware attack targeting the VMware ESXi hypervisor. Exploits CVE-2021-21974 vulnerability: This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated.

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

The /store/packages/vmtools.py file is the same custom Python backdoor for VMware ESXi server discovered by Juniper in December 2022, allowing the threat actors to remotely access the device.

DATA

paloalto_firewall_traffic.log_Download

TIMELINE

CATEGORY

Ransomware

references

  • https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
  • https://www.csoonline.com/article/3687095/massive-ransomware-attack-targets-vmware-esxi-servers-worldwide.html
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974
  • https://www.vmware.com/security/advisories/VMSA-2021-0002.html
  • https://kb.vmware.com/s/article/76372

MITRE ATT&CK

Post Tags: #T1006 - Direct Volume Access#T1021.004 - SSH#T1062 - Hypervisor#T1070.004 - File Deletion#T1190 - Exploit Public-Facing Application#T1486 - Data Encrypted for Impact
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search