New anti-ransomware campaign targets old VMware vulnerability patched two years ago
PSA: If you are an ESXi server administrator, please make sure you have the latest EXSi software installed. This advice usually doesn’t take words, but hackers are currently running a ransomware campaign that exploits an ancient (technically speaking) bug in the system. According to VMware, this problem wouldn’t exist if ESXi administrators followed proper security hygiene.
Security researchers discovered over the weekend that attackers were remotely exploiting a bug in VMware ESXi servers from two years ago. ESXi by VMware is a hypervisor that allows you to host several virtual machines running different operating systems on a server.
According to the French Computer Emergency Response Team (CERT-FR), criminals targeting vulnerable systems in the country with a malware variant called “ESXiArgs”. Cyber security officials in Italy confirmed The ransomware also infects systems throughout Europe and North America.
The attacks have been ongoing since at least February 3 and affected more than 3,200 VMware servers worldwide. Despite the age of this security vulnerability, it is remarkable how widespread the attacks are. The Censys search notes that France was the hardest hit with 915 compromised systems. The US, Germany, Canada and the UK fill the top five in their respective positions and account for more than half of the attacks counted. Censis is tracking it is also in 15 other countries.
Representatives of the Cybersecurity and Infrastructure Security Agency (CISA) in the United States said they are studying the situation and help affected businesses and organizations.
🌐 New #ransomware the attack is spreading like crazy 🚨
Many VMware ESXi servers have been encrypted in the last hours with this ransom note 🧐
Interestingly, the bitcoin wallet is different in each ransom note. No website for group, only TOX id’ pic.twitter.com/mgyoLxbXvg
— DarkFeed (@ido_cohen2) February 3, 2023
“CISA is working with our public and private sector partners to assess the impact of these reported incidents and provide assistance if needed,” a spokesperson for TechCrunch said. “Any organization experiencing a cybersecurity incident should immediately report it to the CISA or the FBI.”
Compromised VMware servers that have not been updated in years can become victims of “simple” remote attacks that do not require knowledge of employee credentials. The ransomware then encrypts the data and demands a ransom.
So far, officials and researchers are not sure who is behind the attacks. The Deep Web Intelligence Feed has tweeted screenshots of the ransomware showing the attackers asking for about 2.064921 bitcoins (about $19,000) to free the servers. DarkFeed notes that each ransom note lists a separate bitcoin wallet. OVHcloud originally accused campaign against the Nevada Ransomware, but has since withdrawn, stating, “No material can lead us to attribute this attack to any group.”
VMware says attacks can only occur if administrators haven’t updated their ESXi software for years. A spokeswoman for Doreen Ruyak told TechCrunch that developers have become aware of the designated security hole. CVE-2021-21974 and corrected it in the February 2021 Security Bulletin. She encourages all organizations to make sure they are running the current version of the software to protect themselves.
“Security hygiene is a key component to preventing ransomware attacks, and organizations that are running versions of ESXi affected by CVE-2021-21974 and have not yet applied the patch should take action as outlined in the bulletin,” Ruyak said.