CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers
A
new
wave
of
ransomware
attacks
is
targeting
VMware
ESXi
servers
to
deliver
ransomware,
CERT
of
France
warns.
The
French
Computer
Emergency
Response
Team
(CERT-FR)
warns
that
threat
actors
are
targeting
VMware
ESXi
servers
to
deploy
ransomware.
CERT-FR
reported
that
threat
actors
behind
these
ransomware
attackers
are
actively
exploiting
the
vulnerability
CVE-2021-21974.
“OpenSLP
as
used
in
ESXi has
a
heap-overflow
vulnerability.”
reads
the
advisory
published
by
VMware.
“A
malicious
actor
residing
within
the
same
network
segment
as
ESXi
who
has
access
to
port
427
may
be
able
to
trigger
the
heap-overflow
issue
in
OpenSLP
service
resulting
in
remote
code
execution.”
The
vulnerability
is
an OpenSLP
heap-overflow
flaw
in VMware
ESXi
that
can
be
exploited
by
attackers
to
execute
arbitrary
code
remotely
on
vulnerable
devices.
The
vulnerability
affects
the
following
systems:
-
ESXi
7.x
versions
earlier
than
ESXi70U1c-17325551 -
ESXi
versions
6.7.x
earlier
than
ESXi670-202102401-SG -
ESXi
versions
6.5.x
earlier
than
ESXi650-202102101-SG
The
virtualization
giant
addressed
the
CVE-2021-21974
bug
in
February
2021.
“On
February
3,
2023,
CERT-FR
became
aware
of
attack
campaigns
targeting
VMware
ESXi
hypervisors
with
the
aim
of
deploying
ransomware
on
them.”
reads
the
alert
published
by
CERT-FR.
“In
the
current
state
of
investigations ,
these
attack
campaigns
seem
to
exploit
the
CVE-2021-21974
vulnerability,
for
which
a
patch
has
been
available
since
February
23,
2021.
This
vulnerability
affects
the Service
Location
Protocol ( SLP )
service
and
allows
a
attacker
to
remotely
exploit
arbitrary
code.
The
systems
currently
targeted
would
be
ESXi
hypervisors
in
version
6.x
and
prior
to
6.7.”
CERT-FR
urges
applying
all
patches
available
for
the
ESXi
hypervisor,
it
also
recommends
performing
a
system
scan
to
detect
any
signs
of
compromise.
The
CERT
also
recommends
disabling
the SLP service
on
ESXi
hypervisors
that
have
not
been
updated.
The
ongoing
ransomware
attacks
have
been
also
reported
by
cloud
service
provider
OVHcloud,
which
observed
most
of
the
attacks
in
Europe.
“A
wave
of
attacks
is
currently
targetting
ESXi
servers.
No
OVHcloud
managed
service
are
impacted
by
this
attack
however,
since
a
lot
of
customers
are
using
this
operating
system
on
their
own
servers,
we
provide
this
post
as
a
reference
in
support
to
help
them
in
their
remediation.”
reads
the
report
published
by
OVH.
“These
attacks
are
detected
globally
and
especially
in
Europe.”
According
to
experts,
some
of
the
attacks
aimed
at
delivering
the
Nevada
ransomware.
Recently,
researchers
from
cybersecurity
firm
Resecurity
have
identified
a
new
version
of
Nevada
Ransomware
which
recently
emerged
on
the
Dark
Web
right
before
the
start
of
2023.
Around
February
1,
2023
–
the
group
distributed
an
updated
locker
written
in
Rust
for
their
affiliates
supporting
Windows,
Linux
and
ESXi
–
this
programming
language
has
become
a
trend
for
ransomware
developers
these
days
(Blackcat,
RansomExx2,
Hive,
Luna,
Agenda).
However,
BleepingComputer
first
reported
that
the
attacks
could
be
linked
to
a
new
ransomware
family,
tracked
by
ID
Ransomware‘s Michael
Gillespie as
ESXiArgs.
The
ransomware
targets
files
with
the
.vmxf,
.vmx,
.vmdk,
.vmsd,
and
.nvram
extensions
on
compromised
ESXi
servers
and
creates
a “.args” file
for
each
encrypted
document
with
metadata.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
VMware
ESXi
servers)
Share
On
About Author
