Written by staff writer.
Hackers are targeting an OpenSLP (service location protocol) security flaw in unpatched VMware ESXi servers, deploying malware that enables the attackers to facilitate a remote code execution and encrypt the servers. VMware is a global provider of multi-cloud services.
CERT-FR, the French government’s cybersecurity response agency, issued an alert on February 3 warning of the attack. The affected systems are ESXi hypervisors version 6.5, 6.7 and 7.0.
“CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them,” the agency said. “These attack campaigns seem to have taken advantage of the exposure of ESXi hypervisors which would not have been updated with security patches quickly enough. In particular, the SLP service seems to have been targeted, a service for which several vulnerabilities had been the subject of successive patches. Exploit codes have been available in open source since at least May 2021.”
The situation is evolving, but according to the latest estimates, the hackers have targeted over 3,000 servers. They use the malware to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra files on the servers and release ransom notes. Overnight, Italy’s National Cybersecurity Agency said they believed cyber-criminals rather than nation-state actors were behind the attacks.
“No evidence has emerged pointing to aggression by a state or hostile state-like entity,” that agency said, noting that the attackers did not target critical infrastructure servers.
Because the attacks are targeting servers unpatched servers, systems that have previously updated are protected from this particular piece of malware. CERT-FR says the two relevant vulnerabilities are CVE-2021-21974 from VMSA-2021-0002 which deals with an SXi OpenSLP heap-overflow vulnerability, and CVE-2020-3992 from VMSA-2020-0023 which handles an ESXi OpenSLP remote code execution vulnerability. VMWare says to patch if possible or to disable the affected SLP service in ESXi.
Consulting Solutions Engineer Stefan van der Wal from Barracuda Networks says the ransomware attack highlights how important it is to update critical software infrastructure systems.
“Securing virtual infrastructure is vital. Virtual machines can be attractive targets for ransomware since they often run business-critical services or functions, and a successful attack could cause extensive disruption,” he said. ” It isn’t always easy for organizations to update software, but it is far better to face the temporary disruption than to be hit by a potentially damaging attack.”
Many exposed servers are reportedly in France, the US, and Germany. Cybersecurity analysts are saying that the attack, while widespread, doesn’t appear to be sophisticated, and some entities have recovered their virtual machines without having to restore from a backup.
But cybersecurity specialists Wiz say 12% of ESXi servers worldwide are currently unpatched for CVE-2021-21974 and vulnerable to attacks. “The targets of these attacks are primarily ESXi servers running versions prior to 7.0 U3i, which are accessible through the OpenSLP port 427,” the company said on February 7.
They add that the ESXiArgs malware is linked to the Nevada ransomware family that was first detected in December 2022 and is tied to Chinese and Russian threat actors.