Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
Widespread ransomware attacks affecting VMware ESXi servers
Affected Systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
Description:
A worldwide ransomware campaign targets unpatched VMware ESXI servers that are vulnerable to a remote code execution vulnerability discovered in 2021. The ransomware specifically targets the Service Location Protocol (SLP) service running on ESXi hypervisor machines in version 6.x and prior to 6.7, which is known to have multiple critical vulnerabilities but is disabled by default. The main vulnerability being targeted is CVE-2021-21974, a high-severity bug that allows for remote code execution, which attackers can exploit without any account privileges or user interaction required.
VMware has published a response to the attacks, stating that there is no evidence of a 0-day vulnerability being targeted and that it is mainly outdated products affected. Despite a patch released for the vulnerability two years ago, it is estimated that over 2400 servers have been hit with the ransomware, according to BleepingComputer.
The ransomware deployed in the attack, named ESXiArgs, attempts to encrypt all files on an ESXi server, which can leave all virtual machines and the data stored on them unusable.
As such a large number of organisations have been targeted, the US’s Cybersecurity and Infrastructure Security Agency (CISA) has created a script to help impacted organisations recover compromised servers. A tutorial on running the script can be found here. It is strongly encouraged to create a backup of the encrypted system before running the script, as the script works by clearing VMs of encrypted files and then rebuilding the virtual machines .vmdk file using a flat file.
It is highly recommended that organisations who use ESXi servers ensure all systems are running the latest update. If that is not possible, then disabling the SLP service will prevent threat actors from being able to exploit the vulnerabilities present in the system.
Related Links:
https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ – Posted February 3rd, updated February 6th
https://www.bleepingcomputer.com/news/security/cisa-releases-recovery-script-for-esxiargs-ransomware-victims/ – Posted February 7th
https://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/ – Posted February 6th
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/ – Published February 3rd, updated February 5th
https://blogs.vmware.com/security/2023/02/83330.html – Published February 6th
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…