Recently, a large-scale ransomware attack has been targeting unpatched and unprotected VMware ESXi servers around the world. The attack, known as ESXiArgs, is exploiting a vulnerability called CVE-2021-21974, which was patched by VMware in February 2021. This vulnerability allows malicious actors with access to port 427 on the same network segment as the ESXi server to trigger a heap-overflow issue in the OpenSLP service, resulting in remote code execution. After the patches were released, proof-of-concept code and technical details were made public, but there were no reports of the vulnerability being exploited in the wild. The ransomware is encrypting files associated with virtual machines, including files with the .vmem extension, and is targeting vulnerable ESXi servers exposed to the internet on port 427. The ransomware does not appear to have file exfiltration capabilities, but victims are instructed to pay 2 bitcoins to receive the encryption key needed to recover their files. Government agencies in the US and Europe are looking into the attacks and assessing their impact. While it is becoming more common for threat actors to target ESXi servers, the exploitation of ESXi vulnerabilities is still rare.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 06 Feb 2023 11:54:03 +0000