Government Agencies and VMware Forewarn of Ransomware Breaching Unpatched ESXi Servers

Highlights:

• The initial attacks reportedly took place late previous week by breaching vulnerable VMware ESXi servers designated as CVE-2021-21974, patched in 2021.
• The French and Italian authorities issued warnings after the instances of attacks caught government’s attention.

Government agencies in the Europe and VMware have been alerting users of VMware ESXi hypervisor to make sure their software is upgraded, after the widespread campaign of ransomware attacking unpatched installations.

The initial attacks reportedly took place in the first week of February by breaching vulnerable VMware ESXi servers designated as CVE-2021-21974, patched in 2021. The major concern is a heap overflow vulnerability in OpenSLP of ESXi of some versions of software such as 7.0, 6.7, and 6.5. The open-source implementation of IEFT service location protocol is OpenSLP.

In the patch released in February 2021, VMware advised, “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.” By default, the port used in attacks got disabled in all the releases of ESXi from 2021.

Two years later, it was observed that multiple VMware EXSi users did not upgrade the software or install the patch unfortunately. VMware, in its recent blog post, reported that the installations that are usually at the end of general support or considerably out-of-date are being attacked.

The French and Italian authorities issued warnings after the instances of attacks caught government’s attention. The premier’s office in Italy stated that the attacks breaching the systems in the country include “ransomware already in circulation,” while the warning is triggered in the technical bulletin of this cybersecurity agency of France.

The caution in Italy sparked an internet outage at Telecom Italia, disrupting the streaming of certain sports games. However, even the reports couldn’t clear whether the outage was caused due to some ransomware campaign.

“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere highlights how important it is to update key software infrastructure systems as quickly as possible. It isn’t always easy for organizations to update software,” said Stefan van der Wal, consulting solutions engineer at security and networking company Barracuda Networks Inc.

He suggested that organizations should disable crucial segments of their IT infrastructure temporarily in such instances. “But it is far better to face that than to be hit by a potentially damaging attack,” he added.

David Maynor, senior director of threat intelligence at cybersecurity training company Cybrary Inc., observed that hackers know that despite the secure operating systems running in virtualized environments, the underlying supporting tools wrapping over the hypervisor are still buggy.

“VMware has had ongoing ESXi issues for years; however, you can still find bugs with a Kali Linux box and 10 minutes of training with fuzzer tools. It would be best if you were not exposing your ESXi management interface to the world,” said Maynor.