Headline
VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware
Endpoint Security / Zero-Day
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide.
“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” the virtualization services provider said.
The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.
“In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default,” VMware added.
The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a large-scale ransomware campaign dubbed ESXiArgs by likely exploiting a two-year-old bug VMware patched in February 2021.
The vulnerability, tracked as CVE-2021-21974 (CVSS score: 8.8), is an OpenSLP heap-based buffer overflow vulnerability that an unauthenticated threat actor can exploit to gain remote code execution.
The intrusions appear to single out susceptible ESXi servers that are exposed to the internet on OpenSLP port 427, with the victims instructed to pay 2.01 Bitcoin (about $45,990 as of writing) to receive the encryption key needed to recover files. No data exfiltration has been observed to date.
Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023. 18 of the 19 IP addresses are classified as benign, with one sole malicious exploitation recorded from the Netherlands.
“ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur,” Rapid7 researcher Caitlin Condon said. “ESXi instances should not be exposed to the internet if at all possible.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Crafty bad actors can infect all of an organization's virtual machines at once, rendering tier-one applications useless.
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
It's not just Internet-accessible hosts that are vulnerable, researchers say.
Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB
By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
The malware has affected thousands of VMware ESXi hypervisors in the last few days.
By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.
The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.