by Valter Cartella
The recent (February 3-4, 2023) world-class cyberattack targeted the famous VMware ESXi hypervisor with the apparent aim of installing a ransomware (ESXiArgs) on those systems.
We "officially" know that the attack was successful on some ESXi servers running on an obsolete version of the flagship WMware hypervisor, and in particular the following versions:
· ESXi 7.x older than ESXi70U1c-17325551
· ESXi 6.7.x older than ESXi670-202102401-SG
· ESXi 6.5.x older than ESXi650-202102101-SG
Such versions appear vulnerable to CVE-2021–21974 exposure, we also know:
· The ransom demanded by ESXiArgs Ransomware is about 2 bitcoins (BTC).
· The FBI and CISA estimate that approximately 3,800 such servers have been attacked worldwide[1].
· Shodan platform claims that nearly 2,000 servers worldwide have been compromised[2].
· The most affected countries appear to be France, USA, Germany and Canada in order of importance.
· Italy, although hit hard, Shodan fortunately places the Bel Paese (Italy) in 17th place among the most affected countries in the world.
· Officially, Shodan tells us that only 2 Telecom Italia servers have been attacked.
This is, very briefly, the known scenario of this serious worldwide cyberattack.
Although Shodan does not mention the servers of ACEA - the Roman electricity, water and gas company - in his report, however, the Azienda Comunale Energia e Ambiente (ACEA) seems to have been attacked very severely. Even some sources inform us that some internal ACEA offices are blocked and that employees are being considered on forced holidays[3].
Not to mention the fact that just 2 servers in the gigantic Telecom Italia farm cannot create such a disruption as to bring national connectivity to an average of only 26%, therefore with a drop in bandwidth of 74%, as he revealed to us, in real time, the independent observatory NetBlocks.
With maximum peaks of decline in connectivity as much as 88%.
Telecom Italia officially states that "there are no correlations" between the TIM incident and the ESXiArgs ransomware. In fact, TIM declares that it was not the victim of the global cyberattack and that the impressive drop in connection suffered was only due to a malfunction of an "international PoP (Point of Presence)".
Forcing people to believe that "two adverse events", practically contemporary, and of global importance ("ESXiArgs" and the phantom "international PoP"), are not related to each other, is almost an insult to "basic" intelligence.
We will see later that not only TIM but also VMware, the giant from Palo Alto (California), hides behind an embarrassing "there are no correlations and no evidence". However, let's go ahead.
So what happened?
The purpose of this short article is certainly not to analyze in detail all the evidence of such a powerful cyberattack, even worldwide. The aim is only to "advise" the reader that perhaps the historic moment has come to look at IT Security with new, different eyes, "necessarily" taking into consideration interdisciplinary knowledge completely, "apparently", disconnected from the world of ICT (Information Communication Technology).
A new point of view, described in great detail, in the book "Level -3: It's Time for IT Security Heretical" (English version[4], Italian version[5]) absolutely different from other technical books in the IT Security field. Quite possibly the first book in the world in the “cybersecurity domain” to be censored[6].
We said that the time has come to look at IT Security with new eyes, so let's make some very brief reflections together.
In fact, if we look closely at this massive ransomware attack with different eyes, we notice quite a few anomalies.
First of all the haste of the media, and unfortunately also of many "specialized" magazines in the IT sector, to declare that the fault of this global cyberattack was due to the negligence of IT administrators in passing the security "patches".
The sad reality is however another: Even today we do NOT really know what happened!
In fact, the CVE-2021–21974 does not answer all the technical questions that the ESXiArgs Ransomware has raised. It should be noted that CVE-2021-21974 is not yet officially confirmed as an attack vector.
The French CERT also listed CVE-2020-3992 as another possibility, which is also an OpenSLP vulnerability[7].
Experts who are actively working to understand what happened are starting to think that perhaps we are facing a 0-day, even if WMware hastened to declare that "there is no evidence" in this sense[8]. Once again our ears hear a "there are no correlations and no evidence". And a sense of emptiness pervades us.
Luckily a system administrator published a post on the BleepingComputer forum on the subject of ESXiArgs writing that some servers directly under his control, although they did not have the OpenSLP service active, were still compromised by the malware[9].
This means that we are probably facing a 0-day.
It is also interesting to note that in a recent article that appeared on ANSA, the Italian company Yoroi "openly" shows its concern about the exponential growth of "zero-day" viruses[10].
Finally, we also know that ESXiArgs malware is not only probably a 0-day, but also of the worst "species" since it looks like a "mutant" zero-day[11].
It is fair to point out that "mutating" malware not only means that it has an internal logic that makes it change over time, but it is also possible that it is "still" remotely controlled.
This means that in the famous scale of the "Intrusion Kill Chain" phase 6 "Command and Control" is still "active" (the attack may still be in progress or only in stand-by!). It is never wrong to remember that the Command and Control phase can come both from the external network (Internet) and from the internal network (Intranet). A nightmare!
For many technicians this my last speculation might seem erroneous because the "data frames" can be easily intercepted by the SOC (Security Operation Center). However, if you are patient for a moment you will see that it is NOT always true!
At this point, it must be remembered that 2008 was the "secret" 9/11 within all x86 CPUs in the world[12]. On that date Intel, and after a few years also AMD, both introduced a "new" privileged executive level accessible only to "them" (manufacturers) and known among industry experts as "Level -3" (also known as "Rings -3”).
Describing in a simple article like this, what this technology REALLY means and the VERY DEEP DIETROLOGIES hidden within it, is literally impossible.
The researcher interested in this topic cannot fail to read an entire book of almost 500 pages such as "Level -3: It's Time for IT Security Heretical". To get a general idea, the reader is invited to "download" the PDF file containing the Preface and Introduction of my book from the link below[13].
Very briefly, I point out that in the Cloud environment (SDT-Software-Defined Technology) the "Level -3" has the power to DO EVERYTHING and also the OPPOSITE OF EVERYTHING. In fact, it is important to declare that within a "pure" SDT context the "Level -3" is absolutely and completely TRANSPARENT and therefore invisible to any "Hypervisor" and incredibly also to any "SOC Nuclear Triad"[14].
We previously stated that the historic moment has come to look at IT Security with new, different eyes, "necessarily" taking into consideration interdisciplinary knowledge completely, "apparently", disconnected from the world of ICT (Information Communication Technology). Let's take an example.
In 2019 the WEF (World Economic Forum) took part, with the Foundation of Bill Gates and others, in a pandemic exercise called Event 201, which imagined an epidemic spreading across the planet[15]. Then what we all know happened.
Between January 17-20, 2023 (not even a month before the global ransomware attack in question), the oracle named Klaus Schwab, founder and president of the World Economic Forum (WEF), stated that within the next two years there could be a worldwide catastrophic cyber attack[16].
Since we have decided to look at IT Security with new eyes and consciously wanting to unite all the points of this "strange" ransomware attack, we are now at a crossroads.
Choosing to look the other way (Matrix), as we did way back in 2001 (9/11).
Or take into "serious" consideration new architectural and technological solutions to create a Better World (also thanks to IT Security Heretical).
The video below (recorded on February 6, 2023), thanks to the collaboration of the very active OndaRadio, is my brief "hot" analysis of the worldwide ransomware attack in question. I'm afraid I understood, right away, what there was to understand.
Good vision (not yet translated - subtitles - in English).
Notes
____________________ [1]https://www.securityweek.com/esxiargs-ransomware-hits-over-3800-servers-as-hackers-continue-improving-malware/ [2] https://www.shodan.io/search?query=title%3A%22how+to+restore+your+files%22 [3] https://www.redhotcyber.com/post/attacco-informatico-allacea-sito-ed-app-fuori-servizio-e-programmi-di-gestione-soc-attivo-h24/ [4] Level -3 (English version): https://www.lulu.com/it/shop/valter-cartella/level-3/paperback/product-jg4m97.html?q=Level+-3&page=1&pageSize=4 [5] Level -3 (Italian version): https://www.amazon.it/dp/B0B75GJTWV?ref_=pe_3052080_397514860 [6] “Level -3” Censorship Report by Amazon KDP: https://youtu.be/uKKwM8CCmUo [7] https://www.recordedfuture.com/esxiargs-ransomware-targets-vmware-esxi-openslp-servers [8] https://www.securityweek.com/vmware-says-no-evidence-of-zero-day-exploitation-in-esxiargs-ransomware-attacks/ [9] https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-31#entry5473353 [10] https://www.ansa.it/sito/notizie/tecnologia/hitech/2023/02/09/cybersicurezza-crescono-virus-zero-day-mai-intercettati_2ecc84e7-f83c-4a1e-ab33-64d523a8dc03.html [11] https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-version-prevents-vmware-esxi-recovery/ [12] https://youtu.be/4l5pXNkgn3g [13] https://www.level-3.net/preview-english [14] 1) SIEM (Security Information and Event Management); 2) Network Forensics Tools (NFT) or Network Traffic Analysis (NTA); 3) Endpoint Detection and Response (EDR, also known as ETDR) [15] https://www.centerforhealthsecurity.org/our-work/exercises/event201/ [16] https://www.wallstreetitalia.com/attacchi-informatici-per-schwab-dobbiamo-immunizzare-internet-per-fermarli/