VMware
said
there
is
no
evidence
that
threat
actors
are
exploiting
a
zero-day
flaw
in
its
software
as
part
of
an ongoing
ESXiArgs
ransomware
campaign.
VMware
said
that
it
found
no
evidence
that
the
threat
actors
behind
the
ongoing
ESXiArgs
ransomware
attacks
are
leveraging
a
zero-day
vulnerability
in
VMware
ESXi
servers.
“VMware
has
not
found
evidence
that
suggests
an
unknown
vulnerability
(0-day)
is
being
used
to
propagate
the
ransomware
used
in
these
recent
attacks.”
reads
the
latest
advisory
published
by
the
company.
“Most
reports
state
that
End
of
General
Support
(EOGS)
and/or
significantly
out-of-date
products
are
being
targeted
with
known
vulnerabilities
which
were
previously
addressed
and
disclosed
in
VMware
Security
Advisories
(VMSAs).”
ESXi
is
VMware’s
hypervisor,
a
technology
that
allows
organizations
to
host
several
virtualized
computers
running
multiple
operating
systems
on
a
single
physical
server.
The
Computer
Emergency
Response
Team
of
France
(CERT-FR) was
the
first
to
notice
and
send
an
alert
about
the
attack. Italy’s
National
Cybersecurity
Agency
(ACN) and Cyber
Security
Agency
of
Singapore have
also
issued
warnings
for
organizations
to
take
immediate
action
to
protect
their
systems.
Researchers
from
GreyNoise
reported
that
19
IP
addresses
have
been
observed
attempting
to
exploit
CVE-2021-21974.
The
French
Computer
Emergency
Response
Team
(CERT-FR)
warned
that
threat
actors
are
targeting
VMware
ESXi
servers
to
deploy
ransomware.
CERT-FR
reported
that
threat
actors
behind
these
ransomware
attackers
are
actively
exploiting
the
vulnerability CVE-2021-21974.
The
vulnerability
is
an OpenSLP heap-overflow
flaw
in VMware
ESXi
that
can
be
exploited
by
attackers
to
execute
arbitrary
code
remotely
on
vulnerable
devices.
The
vulnerability
affects
the
following
systems:
-
ESXi
7.x
versions
earlier
than
ESXi70U1c-17325551 -
ESXi
versions
6.7.x
earlier
than
ESXi670-202102401-SG -
ESXi
versions
6.5.x
earlier
than
ESXi650-202102101-SG
The
virtualization
giant
addressed
the CVE-2021-21974 bug
in
February
2021.
“On
February
3,
2023,
CERT-FR
became
aware
of
attack
campaigns
targeting
VMware
ESXi
hypervisors
with
the
aim
of
deploying
ransomware
on
them.”
reads
the alert published
by
CERT-FR.
“In
the
current
state
of
investigations ,
these
attack
campaigns
seem
to
exploit
the
CVE-2021-21974
vulnerability,
for
which
a
patch
has
been
available
since
February
23,
2021.
This
vulnerability
affects
the Service
Location
Protocol ( SLP )
service
and
allows
a
attacker
to
remotely
exploit
arbitrary
code.
The
systems
currently
targeted
would
be
ESXi
hypervisors
in
version
6.x
and
prior
to
6.7.”
CERT-FR
urges
applying
all
patches
available
for
the
ESXi
hypervisor,
it
also
recommends
performing
a
system
scan
to
detect
any
signs
of
compromise.
The
virtualization
giant
also
recommends
disabling
the SLP service on
ESXi
hypervisors
that
have
not
been
updated.
“With
this
in
mind,
we
are
advising
customers
to
upgrade
to
the
latest
available
supported
releases
of vSphere
components to
address
currently
known
vulnerabilities.”
continues
the
latest
advisory.
“In
addition,
VMware
has
recommended disabling
the
OpenSLP
service in
ESXi
since
2021
when
ESXi
7.0
U2c
and
ESXi
8.0
GA
began
shipping
with
the
service disabled
by
default.”
c
VMware
also
informs
its
customers
it
has
general
ransomware
resources
available
at
our Ransomware
Resource
Center.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
VMware)
Share
On
About Author
