Ransomware Attack on VMware ESXi Servers: How to Defend Yourself?
Posted: Wed Dec 04, 2024 10:13 am
The first weekend of February was marked by massive hacker attacks that first involved France, then extended their range of action to Canada, the United States, North America, Finland and even Italy .
This wave exploits an old vulnerability, CVE-2021–21974, which targets india telegram phone number list ESXi hypervisors , virtualization software installed directly on the physical server, relating to the OpenSLP (Service Location Protocol) service listening on port 427.
The systems affected are the following:
ESXi 7.x versions prior to ESXi70U1c-17325551
ESXi 6.7.x versions prior to ESXi670-202102401-SG
ESXi 6.5.x versions prior to ESXi650-202102101-SG
VMware Cloud Foundation (ESXi) 3.x
VMware Cloud Foundation (ESXi) 4.x
The ransomware in question, dubbed ESXiArgs , exploits a “heap buffer overflow” issue in the SLP service and could allow remote code execution on servers, and specifically targets .vmxf, .vmx, .vmdk, .vmsd, and .nvram files.
Even though this was a known vulnerability and the vendor had already released a patch for it in 2021, servers that had not implemented the security update were still exposed to new intrusions all this time.
According to La Repubblica , 19 servers spread across Italy were attacked (for a total of 300 across Europe) and were mostly managed by small and medium-sized enterprises operating in non-critical sectors.
Table of Contents:
What to do?
Cybersecurity First
What to do?
Regarding this attack campaign, the Italian CSIRT (Computer Security Incident Response Team) reported what was published in the security advisory of the French Computer Emergency Response Team (CERT-FR), which invites you to follow the instructions provided by VMware at this link: www.vmware.com/security/advisories/VMSA-2021-0002.html
In summary, it is recommended to disable the SLP service on ESXi hypervisors that have not been updated and to proceed with applying all available patches. At the same time, it is recommended to perform a system scan to identify any compromises. This is because the attacker may have already exploited the vulnerability and been able to delete the malicious code.
This wave exploits an old vulnerability, CVE-2021–21974, which targets india telegram phone number list ESXi hypervisors , virtualization software installed directly on the physical server, relating to the OpenSLP (Service Location Protocol) service listening on port 427.
The systems affected are the following:
ESXi 7.x versions prior to ESXi70U1c-17325551
ESXi 6.7.x versions prior to ESXi670-202102401-SG
ESXi 6.5.x versions prior to ESXi650-202102101-SG
VMware Cloud Foundation (ESXi) 3.x
VMware Cloud Foundation (ESXi) 4.x
The ransomware in question, dubbed ESXiArgs , exploits a “heap buffer overflow” issue in the SLP service and could allow remote code execution on servers, and specifically targets .vmxf, .vmx, .vmdk, .vmsd, and .nvram files.
Even though this was a known vulnerability and the vendor had already released a patch for it in 2021, servers that had not implemented the security update were still exposed to new intrusions all this time.
According to La Repubblica , 19 servers spread across Italy were attacked (for a total of 300 across Europe) and were mostly managed by small and medium-sized enterprises operating in non-critical sectors.
Table of Contents:
What to do?
Cybersecurity First
What to do?
Regarding this attack campaign, the Italian CSIRT (Computer Security Incident Response Team) reported what was published in the security advisory of the French Computer Emergency Response Team (CERT-FR), which invites you to follow the instructions provided by VMware at this link: www.vmware.com/security/advisories/VMSA-2021-0002.html
In summary, it is recommended to disable the SLP service on ESXi hypervisors that have not been updated and to proceed with applying all available patches. At the same time, it is recommended to perform a system scan to identify any compromises. This is because the attacker may have already exploited the vulnerability and been able to delete the malicious code.