Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals taking advantage of a two-year-old vulnerability in VMware's virtualization services in a ransomware campaign. French CERT reported that the campaign has been active since February 3rd, 2023, and Italy's ACN warned of a large-scale ransomware attack targeting thousands of organizations in Europe and North America. It was also said that VMwares ESXi servers were vulnerable, as they had not been patched against a remotely exploitable flaw discovered in 2021. Attackers were able to access the server and add a ransomware variant called ESXiArgs. ESXi is VMware's hypervisor technology, which allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server. The vulnerability is tracked as CVE-2021-21974 and has a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. VMware released a fix for it on February 23, 2021. On Monday, VMware denied the news and stated that they could not find any evidence that threat actors were trying to use a zero-day in its software in a worldwide active ransomware campaign. Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, wrote in a blog post that most reports indicate that End of General Support and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories. The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Additionally, VMware recommends disabling the OpenSLP service in ESXi, which was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021. According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, while one instance of malicious exploitation of the issue was reported in the Netherlands. The intrusion involved exploiting the already-susceptible ESXi servers, which were exposed to the internet on the OpenSLP port 427. The victims were asked to pay 2.01 Bitcoin or $45,990 in exchange for the encryption key for file recovery. There are no reports of data exfiltration. The U.S. CISA is investigating the ESXiArgs campaign. According to the agency's spokesperson, they have collaborated with private and public sector partners to analyze the impact of the reported incidents and offer assistance where needed. The spokesperson also said that any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.
Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied claims that two-year-old vulnerabilities have been used in the ongoing ESXiArgs ransomware attacks. Reports had emerged over the weekend about cybercriminals exploiting a two-year-old vulnerability in VMware's virtualization services in a ransomware campaign. French CERT said the campaign had been active since February 3rd, 2023, and Italy's ACN issued a warning about a large-scale ransomware attack targeting thousands of organizations in Europe and North America. It was also reported that VMwares ESXi servers were vulnerable, as they had not been patched against a remotely exploitable flaw discovered in 2021. Attackers were able to access the server and add a ransomware variant called ESXiArgs. The vulnerability is tracked as CVE-2021-21974 and has a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. VMware released a fix for it on February 23, 2021. On Monday, VMware denied the news and stated that they could not find any evidence that threat actors were trying to use a zero-day in its software in a worldwide active ransomware campaign. Edward Hawkins wrote in a blog post that most reports indicate that End of General Support and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories. The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Additionally, VMware recommends disabling the OpenSLP service in ESXi, which was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021. According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, while one instance of malicious exploitation of the issue was reported in the Netherlands. The intrusion involved exploiting the already-suscept
This Cyber News was published on www.hackread.com. Publication date: Wed, 08 Feb 2023 15:16:02 +0000