The two-year-old VMware vulnerability is being exploited as part of a ransomware campaign that has impacted thousands of organizations worldwide. The malware is designed to lock users out of their systems and demand payment in order to restore access. This represents a serious security vulnerability that must be addressed promptly by vendors and administrators worldwide.
Organizations that are using VMware ESXi servers to run their business should take immediate action to patch the servers against the remotely exploitable bug from 2021. The ransomware variant known as “ESXiArgs” may have already compromised these systems, and unless they are updated, their data may be at risk.
Since February 3, cyber-criminals have been targeting VMware ESXi servers in France and Italy in order to exploit vulnerabilities and install ransomware. The ransomware campaign is said to be large-scale, affecting thousands of servers worldwide. While CERT-FR has warned about the threats, it is still unclear how widespread the attack is or exactly which vulnerabilities are being exploited.
Government officials say the ESXiArgs campaign is a sophisticated effort by hackers to bypass security measures on industrial control systems. The attacks appear to be designed to exploit holes in encryption technology used on message boards and other communication channels used by plant operators and technicians.
It seems that CISA is doing whatever it can to help protect Americans against cyber attacks. Despite the reported incidents, CISA is still coordinating with other government agencies in order to assess and prevent future incidents.
Italian cybersecurity officials warn that the EXSi flaw could be exploited by unauthenticated threat actors in low-complexity attacks, which don’t rely on using employee passwords or secrets. This flaw has already caused “significant” damage due to the number of unpatched machines.
One noteworthy feature of the ESXiArgs ransomware campaign is that it specifically targets VMware servers. This indicates that cybercriminals are increasingly aware of the security risks posed by these platforms, and they are prepared to invest in research and development to exploit vulnerabilities in them. Consequently, businesses should take appropriate measures to protect themselves against attacks originating from VMware servers, such as using regular security updates and robust antivirus protection.
Some researchers have suggested that the recently-discovered ransomware campaign, known as “WannaCry”, may have originated from malware dating back to 2016. However, OVHCloud has since backtracked on these findings and instead suggests that the campaign is linked to a variant of the Nevada ransomware strain. It remains unclear who is behind this campaign – however, it’s clear that hackers are still targeting vulnerable individuals and organisations across the globe with increasingly sophisticated variants of ransomware.
It appears that the hackers behind the attack have adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address. This could be an attempt to intimidate would-be extortionists, as well as extract more money from those affected by the attack.
ESXiArgs is a ransomware variant that seems to be leveraging the CVE-2021-21974 vulnerability. The patches for the vulnerability were made available to customers two years ago, and ESXiArgs is only starting to appear now. This suggests that organizations may not have been using the patched version of VMware infrastructure and are now facing decryption attempts as a result.
Organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch should exercise caution when trying to access sensitive data, as ransomware could potentially target this information.