Hundreds of unpatched VMware ESXi servers hit by ransomware by way of outdated bug (CVE-2021-21974) | Mod Tech

Late final week, unknown attackers launched a widespread ransomware assault that affected VMware ESXi hypervisors by way of CVE-2021-21974, an simply exploitable vulnerability that permits them to execute exploit code remotely, with out prior authentication. .

VMware supplied patches for CVE-2021-21974, a vulnerability within the ESXi OpenSLP service, two years in the past, and this assault revealed what number of servers are nonetheless unpatched, with the SLP service nonetheless working and the OpenSLP port nonetheless working. (427) nonetheless uncovered.

The assault is ongoing.

French CERT (CERT-FR) and French cloud computing firm OVH had been the primary to sound the alarm on Friday night time, claiming that attackers are exploiting CVE-2021-21974 and urging server homeowners unpatched and never but affected to shortly patch or disable the SLP service.

On Sunday, the pc safety incident response staff of Italy’s Nationwide Cybersecurity Company (ACN) echoed the warning.

After some preliminary hypothesis concerning the ransomware being utilized by attackers to encrypt weak servers, it was confirmed to be a brand new ransomware household that was named ESXiArgs as a result of goal methods and the extension (.args) added to encrypted digital machine recordsdata. ( recordsdata with .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram and .vmem extensions). And sadly, its encryption has no exploitable bugs.

ESXi is put in on total hosts, typically leased from a cloud service supplier. OVHcloud CISO Julien Levrard says they’ve recognized compromised hosts and have been notifying affected prospects, however didn’t say what number of hosts have been affected.

The Italian information company ANSA says that “the assaults compromised dozens of IT methods in Italy, each in the private and non-private sectors.” In line with Censys, there are greater than 3,200 compromised servers, primarily in France, but additionally within the US, Germany, Canada, UK, the Netherlands and different international locations world wide.

To do?

Directors whose ESXi servers haven’t been affected have most likely already applied the patch supplied by VMware, disabled the SLP service, and/or made the servers inaccessible from the Web. If not, they could simply get fortunate, however their luck will most likely run out quickly, so they should carry out these actions.

There are various households of ransomware, and different malware, able to concentrating on VMware ESXi digital machines and with a PoC exploit for CVE-2021-21974 public, we are able to anticipate risk actors utilizing them to strive the identical trick.

Levrard says that the ransomware makes use of a public key deployed in /tmp/public.pem, that it tries to close down digital machines by killing the VMX course of to unlock the recordsdata, that attackers don’t extract information earlier than encrypting the recordsdata, and that in some circumstances the encryption is just partial and the info will be recovered. He pointed customers to a VMDK file restoration process outlined by safety researcher Enes Sönmez.

“We examined this process, in addition to many safety consultants, with success on a number of affected servers. The success price is about 2/3. Please observe that following this process requires robust abilities in ESXi environments. Please use it at your individual threat and search assist from consultants to help you,” he added.