Massive Ransomware Campaign Targets VMware ESXi ServersVulnerability Patched in 2021 Still Haunts Admins at Over 300 Organizations
A massive automated ransomware campaign is targeting VMware ESXi hypervisors around the world, warns CERT-FR, the French government's computer emergency readiness team that's part of the National Cybersecurity Agency of France.
See Also: Sophos on the State of Ransomware
The attack exploiting a heap-overflow vulnerability in VMware ESXi tracked as CVE-2021-21974 was patched in February 2021. The vulnerability affects the Service Location Protocol service and allows an attacker to remotely exploit arbitrary code.
VMware's ESXi is a hypervisor, meaning it's designed to run virtual machines. VMware first issued a warning and patch for the flaw in February 2021, saying it was discovered and reported by Mikhail Klyuchnikov of Moscow-based security firm Positive Technologies.
VMware designated the vulnerability as "critical," meaning it could be used by attackers to remotely execute any code they wanted on a vulnerable system and take full control of it.
"On February 3, 2023, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them. The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7," according to CERT-FR.
A spokesperson for VMware tells Information Security Media Group that a ransomware variant dubbed ESXiArgs appears to be exploiting CVE-2021-21974, a two-year-old vulnerability for which patches were made available in VMware’s
"Security hygiene is a key component of preventing ransomware attacks, and customers who are running versions of ESXi impacted by CVE-2021-21974 and have not yet applied the patch, should take action as directed in the advisory," the spokesperson says.
CERT-FR recommends applying the workaround proposed by the VMware that suggests disabling the SLP service on ESXi hypervisors that have not been updated.
The agency also warns that applying patches only is not enough, as the attacker may have already exploited the vulnerability and dropped malicious code. VMware recommends performing a system scan to detect any signs of compromise.
French cloud computing and hosting giant OVH also released an advisory Friday and warned its users about the current wave of attacks targeting ESXi servers.
"No OVHcloud managed services are impacted by this attack; however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation," says Julien Levrard, chief information security officer at OVH.
Levrard says attacks are being detected globally with a focus on Europe, and he assumes the attackers are likely the operators behind Nevada ransomware strain.
On Saturday, a Shodan search showed that the spread is extensive and a total of at least 327 organization are affected, according to Darkfeed, a ransomware monitoring service provider platform.
"The most targeted system is from France on OVH cloud and Hetzner hosting. But they have hit other hosting and cloud companies around the world," Darkfeed says on Twitter.
SingCERT, Singapore's Computer Emergency Response Team on Saturday also released an advisory and warned users about the ongoing ransomware campaign.
"Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. As a precaution, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations," the SingCERT advisory says.
This is a developing story and it will be further updated.