ESXiArgs attack vector unclear as infections continue

ESXiArgs has turned into one of the highest-profile threat campaigns in recent memory, despite only having a moderate scale.

ESXiArgs is the name of the ransomware campaign involving a series of attacks against servers with vulnerable instances of VMware ESXi. Initial attack reports came in early February, and an updated advisory from French cyber agency CERT-FR listed vulnerabilities CVE-2020-3992 and CVE-2021-21974 as possible attack vectors.

Thousands of servers have apparently been infected by the ransomware so far. CISA published a decryptor tool last week using research from YoreGroup Tech Team researchers Ahmet Aykac and Enes Sonmez. Shortly after, however, a new decryption-resistant strain of the ESXiArgs ransomware delivered infections and reinfections to over 1,000 new and existing victims. In addition, some security vendors raised doubts that CVE-2021-21974 and CVE-2020-3992 were being exploited in the attacks.

The Shadowserver Foundation CEO Piotr Kijewski told TechTarget Editorial last week that ESXiArgs lacks the scale of Log4Shell and ProxyShell threats, but it has perhaps proven notable because it's an enterprise-focused campaign that spread quickly. There are also looming questions about ESXiArgs' attack vector and which threat actor -- or actors -- is behind the campaign.

TechTarget editors Rob Wright and Alex Culafi discuss the latest ESXiArgs updates, its surprising notoriety and more in this episode of the Risk & Repeat podcast.

Subscribe to Risk & Repeat on Apple Podcasts and Spotify.

Alexander Culafi is a writer, journalist and podcaster based in Boston.