Hello Kitty Ransomware Attacks VMWare ESXI v.7.0: Dataprise Defense Digest

Executive Summary

On July 17^th 2021, a post was made to the website “Bleeping Computer” regarding a recent ransomware attack on VMWare ESXI version 7 servers. This ransomware group named “Hello Kitty” was responsible for the attack on the video game company “CD Projekt RED”, where they stole the source code for their games and uploaded them to their leak site. Other ransomware variants have also attacked ESXI servers in the past, using a Linux encryptor to encrypt data. According to a blog from “Truesec”, there are different ways to attack these servers, the main one being a Remote Code Execution (RCE) vulnerability that dates back to October of 2020. VMWare posted an advisory to their site regarding this vulnerability and gave it the ID of “VMSA-2020-0023.3”. According to VMWare the patches released on October 20, 2020 did not address the vulnerability (CVE-2020-3992) and other updates to remediate still need to be installed.

Detailed Analysis

According to the advisory from VMWare, if port 427 is open on the management network, a malicious actor in the network may be able to trigger what is called a use-after-free OpenSLP service. This service has been exploited in multiple vulnerabilities so it is not the first time this has been seen in the wild. SLP stands for “Service Location Protocol” and is used to query a device’s service and location by making a service request, and specifying the service it wants to look up by querying a URL. For example one URL may look like:

“service:VMwareInfrastructure://localhost.localdomain”.

According to Expert Researcher Johnny Yu, a service request packet looks like this:

Trend Micro Expert Lucas Leong found the original bug, which is located in the “SLPParseSrvURL” function, which, gets called when a “directory agent advertisement’ message is processed:

When the bug is taken advantage of, attackers can execute what is called a “Heap Overflow” which looks like this:

This causes a space in memory to become unallocated, so that an attacker can then send remote code to the ESXI server via port 427. From there they can upload any files they want to.

ESXI servers are based off of a Linux distribution. As a result, the ransomware group Hello Kitty uses this bug to upload the Linux Encryptor where they can execute the code and encrypt all the data on these servers.

According to Malware Hunter Team, Hello Kitty was already using the Command Line interface of ESXI to stop VMs as well:

When the servers are encrypted, Hello Kitty leaves a ransom note behind:

Indicators Of Compromise

The following has been identified as IoC’s of the Hello Kitty Ransomware:

SHA-1: fadd8d7c13a18c251ded1f645ffea18a37f1c2de

SHA-256: 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe

Mitigation

1. Turn off Port 427
2. Enable TPM 2.0 on server if possible
3. Enable UEFI Secure Boot
4. Apply most recent patches from VMware here: https://www.vmware.com/security/advisories/VMSA-2020-0023.html

Sources

• https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/
• https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/
• https://twitter.com/malwrhunterteam/status/1415403132230803460
• https://blog.truesec.com/2021/04/13/secure-your-vmware-esxi-hosts-against-ransomware/
• https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
• https://www.vmware.com/security/advisories/VMSA-2020-0023.html
• https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty
• https://twitter.com/_wmliang_
• https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/

Contributing Authors

• Stephen Jones, Senior Director Cybersecurity
• Susan Verdin, Cybersecurity Analyst

Are you ready for the next phase of work? Download the CIO’s Guide to Security in the New Hybrid Workforce to read tips for the future.