Headline
VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has refuted claims that two-year-old vulnerabilities have been exploited in the ongoing ESXiArgs ransomware attacks.
Over the weekend, reports emerged about cybercriminals exploiting a two-year-old vulnerability in virtualization services provider VMware in a ransomware campaign. French CERT (Computer Emergency Response Team) said the campaign has been active since February 3rd, 2023.
Moreover, Italy’s ACN (National Cybersecurity Agency) issued a warning about a large-scale ransomware campaign. The agency noted that attackers were aiming to target thousands of organizations across Europe and North America.
It was also reported that VMware’s ESXi servers were vulnerable, as these had not been patched against a remotely exploitable flaw discovered in 2021. Attackers compromised the server and added a ransomware variant called ESXiArgs.
For your information, ESXi is VMware’s hypervisor technology, which allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server.
The vulnerability is tracked as CVE-2021-21974 and assigned a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. A fix for it was released on February 23, 2021, by VMware.
However, on Monday, VMware denied the news and stated they could not find any evidence that threat actors were trying to leverage a zero-day in its software in a worldwide active ransomware campaign.
“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” said Edward Hawkins, the High-Profile Product Incident Response Manager at VMware in a blog post.
The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Furthermore, the company recommends disabling the OpenSLP service in ESXi. It is worth noting that the service was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021.
According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, whereas one instance of malicious exploitation of the issue was reported in the Netherlands.
The intrusion involved exploiting the already-susceptible ESXi servers, which were exposed to the internet on the OpenSLP port 427. The victims were asked to pay 2.01 Bitcoin or $45,990 in exchange for the encryption key for file recovery. But so far, there are no reports of data exfiltration.
The alleged ESXiArgs ransomware (Source: DarkFeed)
The U.S. CISA is investigating the ESXiArgs campaign. According to the agency’s spokesperson, they have collaborated with private and public sector partners to analyze the impact of the reported incidents and offer assistance where required.
“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” they added.
- Shipping Software Hit by Ransomware Attack
- Royal Ransomware Spreading Through Google Ads
- COVID-19 Tracking App Drops Punisher Ransomware
- Ransomware Gang Leaks Medibank Data on Dark Web
- US Charges Iranian Hackers Over Ransomware Attacks
Related news
Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
It's not just Internet-accessible hosts that are vulnerable, researchers say.
Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB
By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
The malware has affected thousands of VMware ESXi hypervisors in the last few days.
The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware
The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.