Cybercriminals Threaten Release of Sensitive World-Check Database
A recent cyber attack has resulted in a serious data breach affecting the World-Check database, a critical tool used by financial institutions and other organisations…
Widespread ransomware attacks affecting VMware ESXi servers
Affected Systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
Description:
A worldwide ransomware campaign targets unpatched VMware ESXI servers that are vulnerable to a remote code execution vulnerability discovered in 2021. The ransomware specifically targets the Service Location Protocol (SLP) service running on ESXi hypervisor machines in version 6.x and prior to 6.7, which is known to have multiple critical vulnerabilities but is disabled by default. The main vulnerability being targeted is CVE-2021-21974, a high-severity bug that allows for remote code execution, which attackers can exploit without any account privileges or user interaction required.
VMware has published a response to the attacks, stating that there is no evidence of a 0-day vulnerability being targeted and that it is mainly outdated products affected. Despite a patch released for the vulnerability two years ago, it is estimated that over 2400 servers have been hit with the ransomware, according to BleepingComputer.
The ransomware deployed in the attack, named ESXiArgs, attempts to encrypt all files on an ESXi server, which can leave all virtual machines and the data stored on them unusable.
As such a large number of organisations have been targeted, the US’s Cybersecurity and Infrastructure Security Agency (CISA) has created a script to help impacted organisations recover compromised servers. A tutorial on running the script can be found here. It is strongly encouraged to create a backup of the encrypted system before running the script, as the script works by clearing VMs of encrypted files and then rebuilding the virtual machines .vmdk file using a flat file.
It is highly recommended that organisations who use ESXi servers ensure all systems are running the latest update. If that is not possible, then disabling the SLP service will prevent threat actors from being able to exploit the vulnerabilities present in the system.
Related Links:
https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ – Posted February 3rd, updated February 6th
https://www.bleepingcomputer.com/news/security/cisa-releases-recovery-script-for-esxiargs-ransomware-victims/ – Posted February 7th
https://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/ – Posted February 6th
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/ – Published February 3rd, updated February 5th
https://blogs.vmware.com/security/2023/02/83330.html – Published February 6th
Related articles
WhatsApp Verification Code Scams: Stay Safe and Protect Your Account
WhatsApp, the popular messaging service owned by Meta, has become a prime target for fraudsters. A recent scam involves the manipulation of the WhatsApp’s verification…
LastPass Users Targeted in Sophisticated Phishing Campaign
Password manager LastPass has issued an urgent warning to its users about a sophisticated phishing campaign designed to steal master passwords and gain unauthorised access…