Administrators, hosting providers, and the French Computer Emergency Response Team have warned that attackers are actively targeting VMware ESXi servers that have not been patched against a two-year-old remote code execution vulnerability to deploy ransomware. This security flaw, tracked as CVE-2021-21974, is caused by a heap overflow issue in the OpenSLP service which can be exploited by unauthenticated threat actors in low-complexity attacks. It is believed that these attack campaigns are exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021. The systems that are being targeted are ESXi hypervisors in version 6.x and prior to 6.7. To protect against incoming attacks, administrators must disable the vulnerable Service Location Protocol service on ESXi hypervisors that have not yet been updated. CERT-FR strongly recommends applying the patch as soon as possible, but also suggests that systems left unpatched should be scanned for signs of compromise. OVHcloud, a French cloud provider, has also released a report linking this wave of attacks targeting VMware ESXi servers to the Nevada ransomware operation. Experts and authorities believe that CVE-2021-21974 is being used as a compromission vector. Investigations are still ongoing to confirm these assumptions. The attack is primarily targeting ESXi servers in version before 7.0 U3i, through the OpenSLP port. Victims have reported finding ransom notes named Ransom.html and How to Restore Your Files.html on their locked systems. Michael Gillespie from ID Ransomware is currently tracking the ransomware under the name ESXiArgs, but has stated that until a sample is found, it is impossible to determine if it has any weaknesses in the encryption. BleepingComputer has a dedicated support topic where people are reporting their experiences with this attack. If anyone has new information or a copy of the malware, they are encouraged to let researchers know so that it can be analyzed for weaknesses.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 03 Feb 2023 19:21:02 +0000