Hackers are exploiting an unpatched VMWare vulnerability to target ESXi servers and distribute ransomware.
An unpatched software bug present in VMWare’s ESXi servers is being exploited by hackers in an attempt to spread ransomware across the globe.
Unpatched VMWare servers are exploited by hackers
A two-year-old software vulnerability in VMWare’s ESXi servers has become the target of a widespread hacking campaign. The goal of the attack is to deploy ESXiArgs, a new ransomware variant. It is estimated that hundreds of organizations have been affected.
The French Computer Emergency Response Team (CERT) issued a statement on February 3, in which the nature of the attacks was discussed. In the CERT position, it was written that the campaigns “appear to have benefited from the exposure of ESXi hypervisors that were not updated with security patches quickly enough”. CERT also noted that the targeted bug “allows an attacker to perform remote arbitrary code exploitation”.
Organizations have been advised to fix the hypervisor vulnerability to avoid falling victim to this ransomware operation. However, the CERT recalls in the aforementioned press release that “updating a product or software is a delicate operation which must be carried out with precaution” and that “it is recommended to carry out as many tests as possible “.
VMWare also talked about the situation
Along with CERT and various other entities, VMWare has also published an article about this global attack. In a VMware Consultingit was written that the server vulnerability (known as CVE-2021-21974) could give malicious actors the ability to “trigger the heap overflow issue in the OpenSLP service leading to remote code execution” .
VMWare also noted that it released a patch for this vulnerability in February 2021, which can be used to cut off the attack vector of malicious operators and thus avoid being targeted.
This attack does not appear to be state-run
Although the identities of the attackers in this campaign are not yet known, Italy’s National Cybersecurity Agency (ACN) has stated that there is currently no evidence to suggest that the attack was carried out by an entity. state (as reported Reuters). Various Italian organizations were affected by this attack, as well as organizations in France, the United States, Germany and Canada.
Suggestions have been made as to who might be responsible for this campaign, with software from various ransomware families such as BlackCat, Agenda and Nokoyawa being investigated. Time will tell if the identities of the operators can be discovered.
Ransomware attacks continue to pose a major risk
Over the years, more and more organizations fall victim to ransomware attacks. This mode of cybercrime has become incredibly popular among malicious actors, with this global VMWare hack showing just how widespread the consequences can be.