Mass VMware ESXi ransomware attacks target CVE-2021-21974
Security researchers are reporting an explosion in the compromise of VMware ESXi hypervisors with over 500 machines hit by ransomware this weekend — with the automated attacks exploiting CVE-2021-21974.
As The Stack published, some 20 ESXi machines were reportedly being ransomed every hour, with Shodan data showing that the majority were hosted by OVHcloud but the blast radius was expanding rapidly.
Customers in France appeared to initially be worst-affected and the country’s CERT-FR among the first to publish an advisory. The semi-automated attacks may be targeting unpatched and internet-exposed instances using CVE-2021–21974, a VMware ESXi OpenSLP HeapOverflow leading to RCE, CERT-FR suggested.
Whilst VMware’s initial advisory in 2021 for the vulnerablity said that it affects ESXi versions 7.0, 6.7 and 6.5, the attacks also appear to be hitting earlier build versions; some debate continues also as to whether CVE-2021-21974 is the sole mechanism by which exploitation is happening.
Admins should ensure unpatched ESXi servers are firewalled, with no ports exposed. VMware’s earlier mitigation for the vulnerability urged users to 1: Login to the ESXi hosts using an SSH session (such as putty); 2: Stop the SLP service on the ESXi host with this command: /etc/init.d/slpd stop (nb The SLP service can only be stopped when the service is not in use; users can check thh operational state of SLP Daemon: esxcli system slp stats get 3: Run this command to disable the service: esxcli network firewall ruleset set -r CIMSLP -e 0
OVHcloud said February 3: “A wave of attacks is currently targetting ESXi servers. No OVHcloud managed service are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.
“For Bare Metal customer using ESXi we strongly recommend in emergency :
- to deactivate the OpenSLP service on the server or to restrict access to only trusted IP addresses (https://kb.vmware.com/s/article/76372)
- to upgrade you ESXi on the latest security patch
“In a second time, ensure:
- your data are backed up (on immutable storage?)
- only necessary…
