A brand new wave of ransomware assaults is focusing on VMware ESXi servers to ship ransomware, warns France’s CERT.
The French Pc Emergency Response Staff (CERT-FR) warns that risk actors are focusing on VMware ESXi servers to deploy ransomware.
CERT-FR reported that the risk actors behind these ransomware attackers are actively exploiting the CVE-2021-21974 vulnerability.
“OpenSLP as used on ESXi has a stack overflow vulnerability.” learn the advisory revealed by VMware. “A malicious actor residing on the identical community section as ESXi and gaining access to port 427 can set off the heap overflow challenge within the OpenSLP service, leading to distant code execution.”
The vulnerability is an OpenSLP stack overflow flaw in VMware ESXi that attackers can exploit to remotely execute arbitrary code on weak gadgets. The vulnerability impacts the next programs:
- Variations of ESXi 7.x sooner than ESXi70U1c-17325551
- Variations of ESXi 6.7.x sooner than ESXi670-202102401-SG
- Variations of ESXi 6.5.x sooner than ESXi650-202102101-SG
The virtualization large addressed the CVE-2021-21974 bug in February 2021.
“On February 3, 2023, CERT-FR grew to become conscious of assault campaigns focusing on VMware ESXi hypervisors with the goal of deploying ransomware on them.” learn the alert revealed by CERT-FR. “On the present state of investigations, these assault campaigns look like exploiting the CVE-2021-21974 vulnerability, for which a patch has been accessible since February 23, 2021. This vulnerability impacts the Service Location Protocol service. (SLP) and permits an attacker to remotely exploit arbitrary code. Goal programs presently could be ESXi hypervisors at model 6.x and sooner than 6.7”.
CERT-FR encourages making use of all accessible patches for the ESXi hypervisor, it additionally recommends performing a system scan for any indicators of compromise.
The CERT additionally recommends disabling the SLP service on ESXi hypervisors that haven’t been upgraded.
Ongoing ransomware assaults have additionally been reported by cloud service supplier OVHcloud, which noticed a lot of the assaults in Europe.
“A wave of assaults is presently focusing on ESXi servers. No OVHcloud managed companies are affected by this assault, nevertheless, as many shoppers use this working system on their very own servers, we’re offering this put up as a reference to assist them remediate.” learn the report revealed by OVH. “These assaults are detected worldwide and particularly in Europe.”
In line with specialists, a few of the assaults have been geared toward delivering the nevada ransomware. Just lately, researchers from cybersecurity agency Resecurity recognized a brand new model of Nevada Ransomware that just lately appeared on the Darkish Net simply earlier than the beginning of 2023.
Round February 1, 2023, the group distributed an up to date locker written in Rust to its associates that assist Home windows, Linux, and ESXi; this programming language has develop into a development for ransomware builders today (Blackcat, RansomExx2, Hive, Luna, Agenda).
Nevertheless, BleepingComputer first reported that the assaults may very well be linked to a brand new household of ransomware, tracked by ID Ransomware michael gillespie as ESXiArgs.
The ransomware targets information with the extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram on compromised ESXi hosts and creates “.args” file for every encrypted doc with metadata.
Comply with me on twitter: @safetyissues and Fb and Mastodon
Pierluigi Paganini
(Safety Points – hacking, VMware ESXi servers)
share on
–
New wave of ransomware attacks targeting VMware ESXi ServersSecurity Affairs
