VMware ESXi Servers Targeted in Large-Scale Ransomware Campaign

The French Computer Emergency Response Team (CERT-FR) has warned about an ongoing ransomware campaign targeting VMware ESXi hypervisors that have not been patched against the critical heap-overflow vulnerability tracked as CVE-2021-21974.

VMware issued a patch on February 3, 2021, to fix the vulnerability; however, hundreds of VMware ESXi virtual machines are still vulnerable to the exploit and are now being attacked. The vulnerability affects the Open Service Location Protocol (OpenSLP) service and can be exploited by an unauthenticated attacker in a low-complexity attack to remotely execute code.

According to CERT-FR, the campaign targets ESXi hypervisors in version 6.x and prior to 6.7 through OpenSLP port 427, and warns that the following versions are vulnerable to the exploit:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

A workaround has been provided by CERT-FR in the alert for any organizations unable to immediately apply the patch, but CERT-FR strongly recommends patching to address the issue. CERT-FR has warned that patching the vulnerability or applying the workaround is not sufficient to protect against attacks, as the vulnerability may already have been exploited to deliver malicious code. After applying the mitigations, system scans should be performed to detect signs of compromise. VMware said the attacks involve a new ransomware variant dubbed ESXiArgs, which appends encrypted files with the .args extension. While it has yet to be confirmed, these attacks do not appear to involve data exfiltration, only file encryption.

Compliance Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Over the weekend, security researchers have been reporting hundreds of machines have been attacked, which likely involves the automated or semi-automated exploitation of the vulnerability. Over 500 machines are believed to have been targeted, with The Stack reporting…