Organizations
using
older
versions
of
VMWare
ESXi
hypervisors
are
learning
a
hard
lesson
about
staying
up-to-date
with
vulnerability
patching, as
a
global
ransomware
attack
on
what
VMware
has
deemed
“End
of
General
Support
(EOGS)
and/or
significantly
out-of-date
products”
continues.
However,
the
onslaught
also
points
out
wider
problems
in
locking
down
virtual
environments,
the
researchers
say.
VMware
confirmed
in
a
statement
Feb.
6
that
a
ransomware
attack
first
flagged
by
the
French
Computer
Emergency
Response
Team
(CERT-FR)
on
Feb.
3
is
not
exploiting
an
unknown
or
“zero-day”
flaw,
but
rather
previously
identified
vulnerabilities
that
already
have
been
patched
by
the
vendor.
Indeed,
it
was
already
believed
that
the
chief
avenue
of
compromise
in
an
attack
propagating
a
novel
ransomware
strain
dubbed
“ESXiArgs”
is
an
exploit
for
a
2-year-old
remote
code
execution
(RCE)
security
vulnerability
(CVE-2021-21974),
which
affects
the
hypervisor’s
Open
Service
Location
Protocol
(OpenSLP)
service.
“With
this
in
mind,
we
are
advising
customers
to
upgrade
to
the
latest
available
supported
releases
of
vSphere
components
to
address
currently
known
vulnerabilities,”
VMware
told
customers
in
the
statement.
The
company
also
recommended
that
customers
disable
the
OpenSLP
service
in
ESXi,
something
VMware
began
doing
by
default
in
shipped
versions
of
the
project
starting
in
2021
with
ESXi
7.0
U2c
and
ESXi
8.0
GA,
to
mitigate
the
issue.
Unpatched
Systems
Again
in
the
Crosshairs
VMware’s
confirmation
means
that
the
attack
by
as-yet
unknown
perpetrators
that’s
so
far
compromised
thousands
of
servers
in
Canada,
France,
Finland,
Germany,
Taiwan,
and
the
US
may
have
been
avoided
by
something
that
all
organizations
clearly
need
to
do
better
—
patch
vulnerable
IT
assets
—
security
experts
said.
“This
just
goes
to
show
how
long
it
takes
many
organizations
to
get
around
to
patching
internal
systems
and
applications,
which
is
just
one
of
many
reasons
why
the
criminals
keep
finding
their
way
in,”
notes
Jan
Lovmand,
CTO
for
ransomware
protection
firm
BullWall.
It’s
a
“sad
truth”
that
known
vulnerabilities
with
an
exploit
available
are
often
left
unpatched,
concurs
Bernard
Montel,
EMEA
technical
director
and
security
strategist
for
security
exposure
management
firm
Tenable.
“This
puts
organizations
at
incredible
jeopardy
of
being
successfully
penetrated,”
he
tells
Dark
Reading.
“In
this
case,
with
the
…
VMWare
vulnerability,
the
threat
is
immense
given
the
active
exploitation.”
However,
even
given
the
risks
of
leaving
vulnerable
systems
unpatched,
it
remains
a
complex
issue
for
organizations
to
balance
the
need
to
update
systems
with
the
effect
the
downtime
required
to
do
so
can
have
on
a
business,
Montel
acknowledges.
“The
issue
for
many
organizations
is
evaluating
uptime,
versus
taking
something
offline
to
patch,”
he
says.
“In
this
case,
the
calculation
really
couldn’t
be
more
straightforward
—
a
few
minutes
of
inconvenience,
or
days
of
disruption.”
Virtualization
Is
Inherently
a
Risk
Other
security
experts
don’t
believe
the
ongoing
ESXi
attack
is
as
straightforward
as
a
patching
issue.
Though
lack
of
patching
may
solve
the
problem
for
some
organizations
in
this
case,
it’s
not
as
simple
as
that
when
it
comes
to
protecting
virtualized
environments
in
general,
they
note.
The
fact
of
the
matter
is
that
VMware
as
a
platform
and
ESXi
in
particular
are
complex
products
to
manage
from
a
security
perspective,
and
thus
easy
targets
for
cybercriminals,
says
David
Maynor,
senior
director
of
threat
intelligence
at
cybersecurity
training
firm
Cybrary.
Indeed,
multiple
ransomware
campaigns
have
targeted
ESXi
in
the
past
year
alone,
demonstrating
that
savvy
attackers
recognize
their
potential
for
success.
Attackers
get
the
added
bonus
with
the
virtualized
nature
of
an
ESXi
environment
that
if
they
break
into
one
ESXi
hypervisor,
which
can
control/have
access
to
multiple
virtual
machines
(VMs),
“it
could
be
hosting
a
lot
of
other
systems
that
could also
be
compromised
without
any
additional
work,”
Maynor
says.
Indeed,
this
virtualization
that’s
at
the
heart
of
every
cloud-based
environment
has
made
the
task
of
threat
actors
easier
in
many
ways,
Montel
notes.
This
is
because
they
only
have
to
target
one
vulnerability
in
one
instance
of
a
particular
hypervisor
to
gain
access
to
an
entire
network.
“Threat
actors
know
that
targeting
this
level
with
one
arrow
can
allow
them
to
elevate
their
privileges
and
grant
access
to
everything,”
he
says.
“If
they
are
able
to
gain
access,
they
can
push
malware
to
infiltrate
the
hypervisor
level
and
cause
mass
infection.”
How
to
Protect
VMware
Systems
When
You
Can’t
Patch
As
the
latest
ransomware
attack
persists
—
with
its
operators
encrypting
files
and
asking
for
around
2
Bitcoin
(or
$23,000
at
press
time)
to
be
delivered
within
three
days
of
compromise
or
risk
the
release
of
sensitive
data
—
organizations
grapple
with
how
to
resolve
the
underlying
issue
that
creates
such
a
rampant
attack.
Patching
or
updating
any
vulnerable
systems
immediately
may
not
be
entirely
realistic,
other
approaches
may
need
to
be
implemented, notes
Dan
Mayer,
a
threat
researcher
at
Stairwell.
“The
truth
is,
there
are
always
going
to
be
unpatched
systems,
either
due
to
a
calculated
risk
taken
by
the
organizations
or
due
to
resource
and
time
constraints,”
he
says.
The
risk
of
having
an
unpatched
system
in
and
of
itself
may
be
mitigated
then
by
other
security
measures,
such
as continuously
monitoring
enterprise
infrastructure
for
malicious
activity
and
being
prepared
to
respond
quickly
and
segment
areas
of
attack if
a
problem
arises.
Indeed,
organizations
need
to
act
on
the
assumption
that
preventing
ransomware
“is
all
but
impossible,”
and
focus
on
putting
tools
in
place
“to
lessen
the
impact,
such
as
disaster
recovery
plans
and
context-switched
data,”
notes
Barmak
Meftah,
founding
partner
at
cybersecurity
venture
capital
firm
Ballistic
Ventures.
However,
the
ongoing
VMware
ESXi
ransomware
attack
highlights
another
issue
that
contributes
to an
inherent
inability
for
many
organizations to
take
the
necessary
preventative
measures:
the
skill
and
income
gaps
across
the
globe
in
the
IT
security
realm,
Mayer
says.
“We
do
not
have
enough
skilled
IT
professionals
in
nations
where
wealthy
companies
are
targets,”
he
tells
Dark
Reading.
“At
the
same
time,
there
are
threat
actors
across
the
globe
who
are
able
to
make
a
better
living
leveraging
their
skills
to
extort
money
from
others
than
if
they
took
legitimate
cybersecurity
work.”
Mayer
cites
a
report
by
the
international
cybersecurity
nonprofit
(ICS2)
that
said
to
secure
assets
effectively,
the
cybersecurity
workforce
needs
3.4
million
cybersecurity
workers.
Until
that
happens,
“we
need
to
ramp
up
training
these
workers,
and
while
the
gap
still
exists,
pay
those
with
the
skills
around
the
world
what
they
are
worth,
so
they
don’t
turn
to
being
part
of
the
problem,”
Mayer
says.
About Author
