• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Critical VMware Vulnerability From 2021 Leveraged in Mass Ransomware Campaign

A threat actor is reportedly leveraging a two-year-old vulnerability in VMware ESXi servers to deploy ransomware.

February 7, 2023 Zachary Comeau Leave a Comment

CISA Ransomware
stock.adobe.com/vchalup

A two-year-old vulnerability in VMware ESXi servers is reportedly under mass-exploitation by a ransomware threat actor, and more than 1,000 VMware ESXI severs have been compromised.

According to cybersecurity firm Blackberry, the new ransomware, ESXiArgs, is targeting unpatched VMware ESXi servers connected to the internet, leveraging a remote code execution bug from 2021 to cause a heap overflow in the OpenSLP service.

The threat actor is targeting victims globally, with much of the activity centered on North America and Europe, the firm’s researchers say in a blog.

French cybersecurity authorities issued an advisory late last week, saying they became aware of attack campaigns targeting unpatched VMware ESXi hypervisors with the goal of deploying ransomware. The SLP service in particular seems to be the target. The service was the subject of several patches in recent years, and vulnerabilities could allow an attacker to remotely exploit arbitrary code, according to CERT-FR.

The systems currently targeted include ESXi hypervisors in version 6.x and prior to 6.7, but CERT-FR says vulnerabilities affecting SLP concern these systems:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

Once servers are compromised, a shell scrip is used to execute the encryptor and deliver the ransom note, with a requested amount for about $480,000 worth of Bitcoin.

The vulnerability being exploited in this ransomware campaign is tracked as CVE-2021-21974, a critical-rated remote code execution bug that VMware patched in 2021.

A spokesperson from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says the agency is working with public and private sector partners to assess the impacts of the reported incidents and provide assistance where needed.

“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” the spokesperson says. “Organizations should continue taking urgent steps to reduce the risk of ransomware incidents, including by adopting the guidance on stopransomware.gov and implementing basic cyber hygiene such as multi-factor authentication, which can drastically reduce your risk of being hacked.”

VMware’s guidance

In its own update on the matter, VMware says it is aware of the exploits and ransomware attacks and that it has not found evidence of another undisclosed vulnerability being exploited.

To protect against exploitation, VMware suggests customers upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. The company also recommends disabling the OpenSLP service in ESXi. The says it began in 2021 shipping ESXi 7.0 U2c and ESXi 8.0 GA with the service disabled by default.

Prioritize security and safety over convenience and patch your systems

At the time of VMware’s advisory on the vulnerability in late February 2021, the bug wasn’t under active exploitation. That has changed nearly two years later, which is an alarming testament to the patching practices of many organizations, says Bernard Montel, EMEA technical director and security strategist at vulnerability management software provider Tenable.

“The sad truth is that we often see known vulnerabilities, with an exploit available, left unpatched,” Montel says. “This puts organizations at incredible jeopardy of being successfully penetrated. In this case, with the two-year old VMWare vulnerability, the threat is immense given the active exploitation.”

According to Montel, virtualization is critical to most organizations’ cloud strategy, with the hypervisor representing a big target for attackers.

“If threat actors are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection,” Montel says.

Perhaps leading to these systems remaining unpatched for nearly two years is an evaluation of uptime versus security. Threat actors prioritize vulnerabilities impacting popular software that can help them spread ransomware, including VMware and other widely-used tools such as ManageEngine, Exchange, Print Spooler and more.

“Threat actors target these flaws knowing they can abuse admin rights to traverse the network and inflict damage, even holding sensitive information systems and data to ransom,” Montel says. “For business continuity, its imperative security teams determine how to address exploited vulnerabilities while minimizing the impact to the organization instead of leaving known flaws unaddressed.”

Barmak Meftah, co-founder and general partner of Ballistic Ventures, a venture capital firm dedicated to early-stage funding for cybersecurity firms, and the former president of AT&T Cybersecurity, says organizations should shift from preventing ransomware to making ransomware obsolete by implementing disaster recovery plans and context-switched data.

However, he also stresses how patching systems–especially for critical vulnerabilities like the one being exploited here–is the first step.

“The importance of simple patch management cannot be overstated. Unpatched vulnerabilities can have dire consequences — threat actors prove this over and over, and we’re seeing the fallout plainly with this attack,” Meftah says. “Companies that have been impacted are now wrestling with the question of whether to pay the ransom. Those organizations without appropriate mitigating measures should consult a breach response company immediately.”

Tagged With: ESXi, ransomware, VMWare

Related Content:

  • Microsoft Loop IT What You Need to Know About Microsoft Loop
  • YAMAHA UC ADECIA Yealink Yamaha UC Partners With Yealink for Audio &…
  • Microsoft, ChatGPT, GPT-4, GPT-3.5 What’s New With ChatGPT and Generative AI This…
  • CISA Ransomware CISA Wants You To Report Anything You Know…

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.