The
Italian
National
Cybersecurity
Agency
(ACN)
warns
of
an
ongoing
massive
ransomware
campaign
targeting
VMware
ESXi
servers.
The
Italian
National
Cybersecurity
Agency
(ACN)
warns
of
an
ongoing
massive
ransomware
campaign
targeting
VMware
ESXi
servers
worldwide,
including
Italian
systems.
The
attackers
are
attempting
to
exploit
the
CVE-2021–21974
vulnerability.
According
to
the
ACN,
most
of
the
attacks
targeted
systems
in
France,
followed
by
Finland,
North
America,
Canada,
and
the
United
States.
The
alert
issued
by
the
agency
states
that
the
Italian
computer
security
incident
response
team
Italy
is
aware
of
dozens
of
local
organizations
exposed
to
ransomware
attacks
exploiting
the
CVE-2021–21974
flaw
in
VMware
ESXi
servers.
“we
have
been
able
to
make
a
census
of
several
dozen
national
systems
that
are
likely
to
be
compromised
and
alerted
numerous
organizations
whose
systems
are
exposed
but
not
yet
compromised.”
reads
the
alert
published
by
ACN.
“However,
some
systems
exposed
are
yet
to
be
compromised
and
for
same
of
them
it
was
not
possible
to
track
back
the
owners.”
Government
experts
urge
organizations
to
immediately
apply
security
patches
to
address
the
vulnerability
and
prevent
its
exploitation.
The
vulnerability
is
an OpenSLP heap-overflow
flaw
in VMware
ESXi
that
can
be
exploited
by
attackers
to
execute
arbitrary
code
remotely
on
vulnerable
devices.
The
vulnerability
affects
the
following
systems:
-
ESXi
7.x
versions
earlier
than
ESXi70U1c-17325551 -
ESXi
versions
6.7.x
earlier
than
ESXi670-202102401-SG -
ESXi
versions
6.5.x
earlier
than
ESXi650-202102101-SG
The
virtualization
giant
addressed
the CVE-2021-21974 bug
in
February
2021.
According
to
the
alert
published
by
the
ACM,
the
ransomware
attacks
were
first
reported
by
the
France
CERT
(CERT-FR).
CERT-FR
reported
that
threat
actors
behind
these
ransomware
attackers
are
actively
exploiting
the
vulnerability CVE-2021-21974.
“On
February
3,
2023,
CERT-FR
became
aware
of
attack
campaigns
targeting
VMware
ESXi
hypervisors
with
the
aim
of
deploying
ransomware
on
them.”
reads
the alert published
by
CERT-FR.
“In
the
current
state
of
investigations ,
these
attack
campaigns
seem
to
exploit
the
CVE-2021-21974
vulnerability,
for
which
a
patch
has
been
available
since
February
23,
2021.
This
vulnerability
affects
the Service
Location
Protocol ( SLP )
service
and
allows
a
attacker
to
remotely
exploit
arbitrary
code.
The
systems
currently
targeted
would
be
ESXi
hypervisors
in
version
6.x
and
prior
to
6.7.”
CERT-FR
urges
applying
all
patches
available
for
the
ESXi
hypervisor,
it
also
recommends
performing
a
system
scan
to
detect
any
signs
of
compromise.
The
CERT-FR
also recommends
disabling
the SLP service on
ESXi
hypervisors
that
have
not
been
updated.
The
ongoing
ransomware
attacks
have
been
also
reported
by
cloud
service
provider
OVHcloud,
which
observed
most
of
the
attacks
in
Europe.
“A
wave
of
attacks
is
currently
targetting
ESXi
servers.
No
OVHcloud
managed
service
are
impacted
by
this
attack
however,
since
a
lot
of
customers
are
using
this
operating
system
on
their
own
servers,
we
provide
this
post
as
a
reference
in
support
to
help
them
in
their
remediation.”
reads
the report published
by
OVH.
“These
attacks
are
detected
globally
and
especially
in
Europe.”
BleepingComputer first
reported that
the
attacks
could
be
linked
to
a
new
ransomware
family,
tracked
by ID
Ransomware‘s Michael
Gillespie as
ESXiArgs.
The
ransomware
targets
files
with
the
.vmxf,
.vmx,
.vmdk,
.vmsd,
and
.nvram
extensions
on
compromised
ESXi
servers
and
creates
a “.args”file
for
each
encrypted
document
with
metadata.
Despite
international
cyber
security
agencies
warn
of
ongoing
cyber
attacks
exploiting
the
above
issue,
it
is
important
to
highlight
that
the
success
of
these
campaigns
is
the
result
of
the
lack
of
patch
management.
The
patch
for
the
CVE-2021–21974
bug
was
released
two
years
ago,
however,
a
large
number
of
systems
that
are
exposed
online
are
yet
to
be
patched.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
CVE-2021–21974)
Share
On
About Author
