VMware Addresses Ransomware Attacks Targeting ESXi Servers
On Monday, VMware announced that it has not detected any activity regarding the exploitation of an undisclosed zero-day vulnerability in its software amid a global wave of ransomware assaults. The company clarified that reports indicate attackers are primarily targeting End of General Support (EoGS) systems, as well as significantly outdated products that harbor known vulnerabilities disclosed in VMware Security Advisories (VMSAs).
To counter these threats, VMware urges users to upgrade to the latest supported releases of vSphere components. Additionally, organizations are advised to disable the OpenSLP service within their ESXi environments, a precautionary measure that has been in place by default since the release of ESXi 7.0 U2c and ESXi 8.0 GA in 2021.
This advisory comes in the wake of a large-scale ransomware campaign identified as ESXiArgs, which has been targeting unpatched and unsecured VMware ESXi servers worldwide. The campaign is believed to exploit a vulnerability—tracked as CVE-2021-21974 with a CVSS score of 8.8—that allows unauthenticated attackers to achieve remote code execution via a heap-based buffer overflow related to OpenSLP.
The attacks are predominantly aimed at vulnerable ESXi servers exposed to the internet through OpenSLP port 427. Victims are reportedly being demanded to pay 2.01 Bitcoin, roughly $45,990 at present, in order to receive decryption keys for their compromised data. At this time, no data exfiltration incidents linked to these attacks have been reported.
Recent data from GreyNoise indicates that since February 4, 2023, 19 unique IP addresses have attempted to exploit the aforementioned vulnerability, with only one instance categorized as malicious and traced back to the Netherlands.
Caitlin Condon, a researcher at Rapid7, emphasizes the urgency for ESXi users to ensure their data is backed up and to apply updates to their ESXi installations immediately, rather than waiting for scheduled patch cycles. She advises that ESXi servers should ideally remain disconnected from the internet, mitigating their exposure to these ongoing threats.
In response to the escalating ransomware threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for affected organizations. The agency highlights the potential impact of the ESXiArgs ransomware, which encrypts critical configuration files on vulnerable servers and can lead to the inoperability of virtual machines.
CISA has concurrently issued a warning that cyber adversaries are exploiting known vulnerabilities in VMware ESXi software to access servers and deploy ransomware. More than 3,800 servers globally have reportedly fallen victim to this campaign, underscoring the critical need for enhanced security measures.
While details regarding the attackers remain murky, it is apparent that they are leveraging several high-profile OpenSLP vulnerabilities as entry points, raising concerns about the current state of security for ESXi systems.
As complexity in cyber threats continues to grow, it is crucial for organizations to implement security best practices proactively, including regular updates and monitoring of their infrastructure. Ensuring strong safeguarding measures against exploits in outdated software could mitigate risks in what is becoming an increasingly perilous landscape for cybersecurity.
