Tag Archive for: VMware

Massive ransomware attack targets VMware ESXi servers worldwide

/in


A global ransomware attack has hit thousands of servers running the VMware ESxi hypervisor, with many more servers expected to be affected, according to national cybersecurity agencies and security experts around the world.

The Computer Emergency Response Team of France (CERT-FR) was the first to notice and send an alert about the attack.

“On February 3, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them,” CERT-FR wrote

Other national cybersecurity agencies — including organizations in the US, France and Singapore — have also issued alerts about the attack. Servers have been compromised in France, Germany, Finland, the US and Canada, according to reports.

More than 3,200 servers have been compromised globally so far, according to cybersecurity firm Censys.

CERT-FR and other agencies report that the attack campaign exploits the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated. 

Source…

VMware ESXi Servers Targeted in Large-Scale Ransomware Campaign

/in


Posted By HIPAA Journal on Feb 6, 2023

The French Computer Emergency Response Team (CERT-FR) has warned about an ongoing ransomware campaign targeting VMware ESXi hypervisors that have not been patched against the critical heap-overflow vulnerability tracked as CVE-2021-21974.

VMware issued a patch on February 3, 2021, to fix the vulnerability; however, hundreds of VMware ESXi virtual machines are still vulnerable to the exploit and are now being attacked. The vulnerability affects the Open Service Location Protocol (OpenSLP) service and can be exploited by an unauthenticated attacker in a low-complexity attack to remotely execute code.

According to CERT-FR, the campaign targets ESXi hypervisors in version 6.x and prior to 6.7 through OpenSLP port 427, and warns that the following versions are vulnerable to the exploit:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

A workaround has been provided by CERT-FR in the alert for any organizations unable to immediately apply the patch, but CERT-FR strongly recommends patching to address the issue. CERT-FR has warned that patching the vulnerability or applying the workaround is not sufficient to protect against attacks, as the vulnerability may already have been exploited to deliver malicious code. After applying the mitigations, system scans should be performed to detect signs of compromise. VMware said the attacks involve a new ransomware variant dubbed ESXiArgs, which appends encrypted files with the .args extension. While it has yet to be confirmed, these attacks do not appear to involve data exfiltration, only file encryption.

Get The HIPAA
Compliance Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Over the weekend, security researchers have been reporting hundreds of machines have been attacked, which likely involves the automated or semi-automated exploitation of the vulnerability. Over 500 machines are believed to have been targeted, with The Stack reporting…

Source…

Mass VMware ESXi ransomware attacks target CVE-2021-21974

/in


Security researchers are reporting an explosion in the compromise of VMware ESXi hypervisors with over 500 machines hit by ransomware this weekend — with the automated attacks exploiting CVE-2021-21974.

As The Stack published, some 20 ESXi machines were reportedly being ransomed every hour, with Shodan data showing that the majority were hosted by OVHcloud but the blast radius was expanding rapidly.

Customers in France appeared to initially be worst-affected and the country’s CERT-FR among the first to publish an advisory. The semi-automated attacks may be targeting unpatched and internet-exposed instances using CVE-2021–21974, a VMware ESXi OpenSLP HeapOverflow leading to RCE, CERT-FR suggested.

Whilst VMware’s initial advisory in 2021 for the vulnerablity said that it affects ESXi versions 7.0, 6.7 and 6.5, the attacks also appear to be hitting earlier build versions; some debate continues also as to whether CVE-2021-21974 is the sole mechanism by which exploitation is happening.

Admins should ensure unpatched ESXi servers are firewalled, with no ports exposed. VMware’s earlier mitigation for the vulnerability urged users to 1: Login to the ESXi hosts using an SSH session (such as putty); 2: Stop the SLP service on the ESXi host with this command: /etc/init.d/slpd stop (nb The SLP service can only be stopped when the service is not in use; users can check thh operational state of SLP Daemon: esxcli system slp stats get 3: Run this command to disable the service: esxcli network firewall ruleset set -r CIMSLP -e 0

OVHcloud said February 3: “A wave of attacks is currently targetting ESXi servers. No OVHcloud managed service are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.

“For Bare Metal customer using ESXi we strongly recommend in emergency :

  • to deactivate the OpenSLP service on the server or to restrict access to only trusted IP addresses (https://kb.vmware.com/s/article/76372)
  • to upgrade you ESXi on the latest security patch

“In a second time, ensure:

  • your data are backed up (on immutable storage?)
  • only necessary…

Source…

Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments

/in


The latest confirmations of the growing attacker interest in VMware ESXi environments are two ransomware variants that surfaced in recent weeks and have begun hitting targets worldwide.

One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Window systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems as well.

They add to a collection of ransomware variants aimed at ESXi, VMware’s bare-metal hypervisor for running virtual machines. Numerous organizations use the technology to deploy multiple VMs on a single host system or across a cluster of host systems, making the environment an ideal target for attackers looking to cause widespread damage.

“Infrastructure services like networking equipment and hosting infrastructure like ESXi can’t easily be patched on demand,” says Tim McGuffin, director of adversarial engineering at Lares Consulting. “Attacking these services provides a one-stop shop for impact since a large number of servers can be encrypted or attacked at once.”

Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive.

The Cross-Platform Ransomware Threat

Researchers from Kaspersky first spotted Luna in the wild last month. Their analysis
shows the malware to fall into the trend of several other recent variants that are written in platform-agnostic languages like Rust and Golang, so they can be easily ported across different operating systems. The researchers also found the malware to employ a somewhat rare combination of AES and x25519 cryptographic protocols to encrypt data on victim systems. The security vendor assessed the operator of the malware to be likely based in Russia.

Kaspersky’s analysis of a recent version of Black Basta — a ransomware variant it has been tracking since February — shows the malware has been tweaked so it can now encrypt specific directories, or the entire “/vmfs/volumes” folder, on ESXi VMs. The malware uses the ChaCha20 256-bit cipher to encrypt files on victim systems. It also…

Source…