Headline
New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. “These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021,” the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an
Enterprise Security / Ransomware
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems.
“These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021,” the Computer Emergency Response Team (CERT) of France said in an advisory on Friday.
VMware, in its own alert released at the time, described the issue as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code.
“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” the virtualization services provider noted.
French cloud services provider OVHcloud said the attacks are being detected globally with a specific focus on Europe. It’s being suspected that the attacks are related to a new Rust-based ransomware strain called Nevada that emerged on the scene in December 2022.
Other ransomware families that are known to have embraced Rust in recent months include BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda.
“The actors are inviting both Russian- and English-speaking affiliates to collaborate with a big number of Initial Access Brokers (IABs) in [the] dark web,” Resecurity said last month.
“Notably, the group behind the Nevada Ransomware is also buying compromised access by themselves, the group has a dedicated team for post-exploitation, and for conducting network intrusions into the targets of interest.”
However, Bleeping Computer reports that the ransom notes seen in the attacks bear no similarities to Nevada ransomware, adding the strain is being tracked under the name ESXiArgs.
Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats as well as restrict access to the OpenSLP service to trusted IP addresses.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
It's not just Internet-accessible hosts that are vulnerable, researchers say.
Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB
By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
The malware has affected thousands of VMware ESXi hypervisors in the last few days.
By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware
The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.