Written
by
staff
writer.
Hackers
are
targeting
an
OpenSLP
(service
location
protocol)
security
flaw
in
unpatched
VMware
ESXi
servers,
deploying
malware
that
enables
the
attackers
to
facilitate
a
remote
code
execution
and
encrypt
the
servers.
VMware
is
a
global
provider
of
multi-cloud
services.
CERT-FR,
the
French
government’s
cybersecurity
response
agency,
issued
an
alert
on
February
3
warning
of
the
attack.
The
affected
systems
are
ESXi
hypervisors
version
6.5,
6.7
and
7.0.
“CERT-FR
became
aware
of
attack
campaigns
targeting
VMware
ESXi
hypervisors
with
the
aim
of
deploying
ransomware
on
them,”
the
agency
said.
“These
attack
campaigns
seem
to
have
taken
advantage
of
the
exposure
of
ESXi
hypervisors
which
would
not
have
been
updated
with
security
patches
quickly
enough.
In
particular,
the
SLP service
seems
to
have
been
targeted,
a
service
for
which
several
vulnerabilities
had
been
the
subject
of
successive
patches.
Exploit
codes
have
been
available
in
open
source
since
at
least
May
2021.”
The
situation
is
evolving,
but
according
to
the
latest
estimates,
the
hackers
have
targeted
over
3,000
servers.
They
use
the
malware
to
encrypt
.vmxf,
.vmx,
.vmdk,
.vmsd,
and
.nvra
files
on
the
servers
and
release
ransom
notes.
Overnight,
Italy’s
National
Cybersecurity
Agency
said
they
believed
cyber-criminals
rather
than
nation-state
actors
were
behind
the
attacks.
“No
evidence
has
emerged
pointing
to
aggression
by
a
state
or
hostile
state-like
entity,”
that
agency
said,
noting
that
the
attackers
did
not
target
critical
infrastructure
servers.
Because
the
attacks
are
targeting
servers
unpatched
servers,
systems
that
have
previously
updated
are
protected
from
this
particular
piece
of
malware.
CERT-FR
says
the
two
relevant
vulnerabilities
are
CVE-2021-21974
from
VMSA-2021-0002
which
deals
with
an
SXi
OpenSLP
heap-overflow
vulnerability,
and
CVE-2020-3992
from
VMSA-2020-0023
which
handles
an
ESXi
OpenSLP
remote
code
execution
vulnerability.
VMWare
says
to
patch
if
possible
or
to
disable
the
affected
SLP
service
in
ESXi.
Consulting
Solutions
Engineer
Stefan
van
der
Wal
from
Barracuda
Networks
says
the
ransomware
attack
highlights
how
important
it
is
to
update
critical
software
infrastructure
systems.
“Securing
virtual
infrastructure
is
vital.
Virtual
machines
can
be
attractive
targets
for
ransomware
since
they
often
run
business-critical
services
or
functions,
and
a
successful
attack
could
cause
extensive
disruption,”
he
said.
”
It
isn’t
always
easy
for
organizations
to
update
software,
but
it
is
far
better
to
face
the
temporary
disruption
than
to
be
hit
by
a
potentially
damaging
attack.”
Many
exposed
servers
are
reportedly
in
France,
the
US,
and
Germany.
Cybersecurity
analysts
are
saying
that
the
attack,
while
widespread,
doesn’t
appear
to
be
sophisticated,
and
some
entities
have
recovered
their
virtual
machines
without
having
to
restore
from
a
backup.
But
cybersecurity
specialists
Wiz
say
12%
of
ESXi
servers
worldwide
are
currently
unpatched
for
CVE-2021-21974
and
vulnerable
to
attacks.
“The
targets
of
these
attacks
are
primarily
ESXi
servers
running
versions
prior
to
7.0
U3i,
which
are
accessible
through
the
OpenSLP
port
427,”
the
company
said
on
February
7.
They
add
that
the
ESXiArgs
malware
is
linked
to
the
Nevada
ransomware
family
that
was
first
detected
in
December
2022
and
is
tied
to
Chinese
and
Russian
threat
actors.
About Author
