VMware ESXi Servers Targeted in Large-Scale Ransomware Campaign

By | February 6, 2023

The French Computer Emergency Response Team (CERT-FR) has warned about an ongoing ransomware campaign targeting VMware ESXi hypervisors that have not been patched against the critical heap-overflow vulnerability tracked as CVE-2021-21974.

VMware issued a patch on February 3, 2021, to fix the vulnerability; however, hundreds of VMware ESXi virtual machines are still vulnerable to the exploit and are now being attacked. The vulnerability affects the Open Service Location Protocol (OpenSLP) service and can be exploited by an unauthenticated attacker in a low-complexity attack to remotely execute code.

According to CERT-FR, the campaign targets ESXi hypervisors in version 6.x and prior to 6.7 through OpenSLP port 427, and warns that the following versions are vulnerable to the exploit:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

A workaround has been provided by CERT-FR in the alert for any organizations unable to immediately apply the patch, but CERT-FR strongly recommends patching to address the issue. CERT-FR has warned that patching the vulnerability or applying the workaround is not sufficient to protect against attacks, as the vulnerability may already have been exploited to deliver malicious code. After applying the mitigations, system scans should be performed to detect signs of compromise. VMware said the attacks involve a new ransomware variant dubbed ESXiArgs, which appends encrypted files with the .args extension. While it has yet to be confirmed, these attacks do not appear to involve data exfiltration, only file encryption.

Over the weekend, security researchers have been reporting hundreds of machines have been targeted, in what appears to be automated or semi-automated attacks exploiting the vulnerability. Over 500 machines were believed to have been targeted by Sunday, with today’s figures indicating more than 3,200 servers have been attacked. OVHcloud customers are the worst affected, although attacks are now more widespread and are hitting customers of other hosting companies. OVH issued a security advisory on Friday warning customers about the campaign, urging them to patch immediately. While the attacks appeared to initially target vulnerable VMware ESXi hypervisors in Europe, the attacks are now more widespread and SingCERT in Singapore has now issued an advisory warning about the ransomware campaign, and attacks have been detected in the United States and Canada.

There have been reports that earlier versions of VMware ESXi hypervisors are also being targeted by ransomware gangs, although VMware says the vulnerability is restricted to the above 6.x and 7.x versions. That could indicate CVE-2021-21974 is not the only vulnerability being exploited. What is clear is multiple ransomware gangs have released Linux versions of their ransomware specifically to target ESXi hypervisors, with the Royal ransomware group one of the latest to release a new Linux version for attacks on ESXi.

 

The post VMware ESXi Servers Targeted in Large-Scale Ransomware Campaign appeared first on HIPAA Journal.