8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide.
βMost reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),β the virtualization services provider said.
The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.
βIn 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default,β VMware added.
The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a large-scale ransomware campaign dubbed ESXiArgs by likely exploiting a two-year-old bug VMware patched in February 2021.
The vulnerability, tracked as CVE-2021-21974 (CVSS score: 8.8), is an OpenSLP heap-based buffer overflow vulnerability that an unauthenticated threat actor can exploit to gain remote code execution.
The intrusions appear to single out susceptible ESXi servers that are exposed to the internet on OpenSLP port 427, with the victims instructed to pay 2.01 Bitcoin (about $45,990 as of writing) to receive the encryption key needed to recover files. No data exfiltration has been observed to date.
Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023. 18 of the 19 IP addresses are classified as benign, with one sole malicious exploitation recorded from the Netherlands.
βESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur,β Rapid7 researcher Caitlin Condon said. βESXi instances should not be exposed to the internet if at all possible.β
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. βThe ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable,β noted the agency.
CISA has also released an advisory, warning that threat actors are βexploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware.β Over 3,800 servers across the globe have been compromised to date.
The identity of the adversaries behind the campaign is unclear, and it appears that the attacks are taking advantage of several high-profile OpenSLP vulnerabilities in ESXi for obtaining initial access.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P