VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that have already been addressed and disclosed in VMware Security Advisories are being targeted. The company is recommending users to upgrade to the latest available supported releases of vSphere components to prevent known issues and disable the OpenSLP service in ESXi. ESXi 7.0 U2c and ESXi 8.0 GA have the service disabled by default. This announcement comes as unpatched and unsecured VMware ESXi servers have been targeted in a ransomware campaign called ESXiArgs, which is likely exploiting a two-year-old bug that was patched by VMware in February 2021. The vulnerability, tracked as CVE-2021-21974, is an OpenSLP heap-based buffer overflow vulnerability that an unauthenticated threat actor can exploit to gain remote code execution. The intrusions appear to be targeting ESXi servers that are exposed to the internet on OpenSLP port 427, with victims being asked to pay 2.01 Bitcoin to receive the encryption key needed to recover files. Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023. 18 of the 19 IP addresses are classified as benign, with one malicious exploitation recorded from the Netherlands. Rapid7 researcher Caitlin Condon suggested that ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version as soon as possible, without waiting for a regular patch cycle to occur. Additionally, ESXi instances should not be exposed to the internet if at all possible.
This Cyber News was published on thehackernews.com. Publication date: Tue, 07 Feb 2023 11:54:02 +0000