VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

VMware
on
Monday
said
it
found
no
evidence
that
threat
actors
are
leveraging
an
unknown
security
flaw,
i.e.,
a
zero-day,
in
its
software
as
part
of
an

ongoing
ransomware
attack
spree
worldwide.

“Most
reports
state
that
End
of
General
Support
(EoGS)
and/or
significantly
out-of-date
products
are
being
targeted
with
known
vulnerabilities
which
were
previously
addressed
and
disclosed
in
VMware
Security
Advisories
(VMSAs),”
the
virtualization
services
provider

said.

The
company
is
further
recommending
users
to
upgrade
to
the
latest
available
supported
releases
of
vSphere
components
to
mitigate
known
issues
and

disable
the
OpenSLP
service
in
ESXi.

“In
2021,
ESXi
7.0
U2c
and
ESXi
8.0
GA
began
shipping
with
the
service
disabled
by
default,”
VMware
added.

The
announcement
comes
as
unpatched
and
unsecured
VMware
ESXi
servers
around
the
world
have
been
targeted
in
a

large-scale

ransomware
campaign
dubbed
ESXiArgs
by
likely
exploiting
a
two-year-old
bug
VMware
patched
in
February
2021.

The
vulnerability,
tracked
as
CVE-2021-21974
(CVSS
score:
8.8),
is
an
OpenSLP
heap-based
buffer
overflow
vulnerability
that
an
unauthenticated
threat
actor
can
exploit
to
gain
remote
code
execution.

The
intrusions
appear
to
single
out
susceptible
ESXi
servers
that
are
exposed
to
the
internet
on
OpenSLP
port
427,
with
the
victims
instructed
to

pay
2.01
Bitcoin
(about
$45,990
as
of
writing)
to
receive
the
encryption
key
needed
to
recover
files.
No
data
exfiltration
has
been
observed
to
date.

Data
from
GreyNoise
shows
that

19
unique
IP
addresses
have
been
attempting
to
exploit
the
ESXi
vulnerability
since
February
4,
2023.
18
of
the
19
IP
addresses
are
classified
as
benign,
with
one
sole
malicious
exploitation

recorded
from
the
Netherlands.

“ESXi
customers
should
ensure
their
data
is
backed
up
and
should
update
their
ESXi
installations
to
a
fixed
version
on
an
emergency
basis,
without
waiting
for
a
regular
patch
cycle
to
occur,”
Rapid7
researcher
Caitlin
Condon

said.
“ESXi
instances
should
not
be
exposed
to
the
internet
if
at
all
possible.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts