Over 83,000 ESXi servers are internet-exposed as mass attack continues

/in


Over 2,500 ESXi servers around the world have now been hit by ransomware as part of a spray-and-pray campaign that began on Friday evening – with VMware affirming that it has “not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.”

Initial reports suggested that a vulnerability from early 2021 was being exploited. Some security researchers had been somewhat sceptical that not only were thousands of ESXi users not patching against severe remote code execution (RCE) vulnerabilities two years old but also directly exposing unpatched servers to the internet.

The campaign also began just days after security researchers published an exploit that lets remote and unauthenticated attackers take over VMware’s log management tool vRealize Log Insight as root user by chaining three vulnerabiities that VMware disclosed on January 25, 2023. Two of the CVEs used (CVE-2022-31706, CVE-2022-31704) are remote code execution (RCE) bugs with critical CVSS ratings of 9.9.

There is no suggestion that this exploit is being used in the ESXi ransomware attacks.

SecurityScorecard’s Attack Surface IntelligenceASI tool detects some version of ESXi in use at 139,491 IP addresses worldwide. Not all of these will be vulnerable to the ongoing campaign. Shodan searches meanwhile suggest that 83,476 ESXI servers can be found online; the vast majority of these running version 6.7.

ESXi Servers exposed to the internet

ESXi versions exposed to the internet: Credit, Shodan.

VMware emphasised in a short blog on February 6 that “Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities”.

The ESXi ransomware campaign is targeting CVE-2021–21974, a VMware ESXi OpenSLP HeapOverflow leading to remote code execution that was first disclosed via the Zero Day Initiative (ZDI) by Lucas Leong.

Admins should ensure unpatched and exposed ESXi servers are firewalled, with no ports exposed. VMware’s earlier mitigation for the vulnerability urged users to 1: Login to the ESXi hosts using an SSH session (such as putty); 2:…

Source…