A two-year-old vulnerability in VMware ESXi servers is reportedly under mass-exploitation by a ransomware threat actor, and more than 1,000 VMware ESXI severs have been compromised.
According to cybersecurity firm Blackberry, the new ransomware, ESXiArgs, is targeting unpatched VMware ESXi servers connected to the internet, leveraging a remote code execution bug from 2021 to cause a heap overflow in the OpenSLP service.
The threat actor is targeting victims globally, with much of the activity centered on North America and Europe, the firm’s researchers say in a blog.
French cybersecurity authorities issued an advisory late last week, saying they became aware of attack campaigns targeting unpatched VMware ESXi hypervisors with the goal of deploying ransomware. The SLP service in particular seems to be the target. The service was the subject of several patches in recent years, and vulnerabilities could allow an attacker to remotely exploit arbitrary code, according to CERT-FR.
The systems currently targeted include ESXi hypervisors in version 6.x and prior to 6.7, but CERT-FR says vulnerabilities affecting SLP concern these systems:
- ESXi 7.x versions earlier than ESXi70U1c-17325551
- ESXi versions 6.7.x earlier than ESXi670-202102401-SG
- ESXi versions 6.5.x earlier than ESXi650-202102101-SG
Once servers are compromised, a shell scrip is used to execute the encryptor and deliver the ransom note, with a requested amount for about $480,000 worth of Bitcoin.
The vulnerability being exploited in this ransomware campaign is tracked as CVE-2021-21974, a critical-rated remote code execution bug that VMware patched in 2021.
A spokesperson from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says the agency is working with public and private sector partners to assess the impacts of the reported incidents and provide assistance where needed.
“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” the spokesperson says. “Organizations should continue taking urgent steps to reduce the risk of ransomware incidents, including by adopting the guidance on stopransomware.gov and implementing basic cyber hygiene such as multi-factor authentication, which can drastically reduce your risk of being hacked.”
VMware’s guidance
In its own update on the matter, VMware says it is aware of the exploits and ransomware attacks and that it has not found evidence of another undisclosed vulnerability being exploited.
To protect against exploitation, VMware suggests customers upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. The company also recommends disabling the OpenSLP service in ESXi. The says it began in 2021 shipping ESXi 7.0 U2c and ESXi 8.0 GA with the service disabled by default.
Prioritize security and safety over convenience and patch your systems
At the time of VMware’s advisory on the vulnerability in late February 2021, the bug wasn’t under active exploitation. That has changed nearly two years later, which is an alarming testament to the patching practices of many organizations, says Bernard Montel, EMEA technical director and security strategist at vulnerability management software provider Tenable.
“The sad truth is that we often see known vulnerabilities, with an exploit available, left unpatched,” Montel says. “This puts organizations at incredible jeopardy of being successfully penetrated. In this case, with the two-year old VMWare vulnerability, the threat is immense given the active exploitation.”
According to Montel, virtualization is critical to most organizations’ cloud strategy, with the hypervisor representing a big target for attackers.
“If threat actors are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection,” Montel says.
Perhaps leading to these systems remaining unpatched for nearly two years is an evaluation of uptime versus security. Threat actors prioritize vulnerabilities impacting popular software that can help them spread ransomware, including VMware and other widely-used tools such as ManageEngine, Exchange, Print Spooler and more.
“Threat actors target these flaws knowing they can abuse admin rights to traverse the network and inflict damage, even holding sensitive information systems and data to ransom,” Montel says. “For business continuity, its imperative security teams determine how to address exploited vulnerabilities while minimizing the impact to the organization instead of leaving known flaws unaddressed.”
Barmak Meftah, co-founder and general partner of Ballistic Ventures, a venture capital firm dedicated to early-stage funding for cybersecurity firms, and the former president of AT&T Cybersecurity, says organizations should shift from preventing ransomware to making ransomware obsolete by implementing disaster recovery plans and context-switched data.
However, he also stresses how patching systems–especially for critical vulnerabilities like the one being exploited here–is the first step.
“The importance of simple patch management cannot be overstated. Unpatched vulnerabilities can have dire consequences — threat actors prove this over and over, and we’re seeing the fallout plainly with this attack,” Meftah says. “Companies that have been impacted are now wrestling with the question of whether to pay the ransom. Those organizations without appropriate mitigating measures should consult a breach response company immediately.”
