THREAT LEVEL - HIGH

15-02-2023

Massive Ransomware attack Targets VMware ESXi Servers

Threat Level Description 

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

 

Description 

We have observed that a massive ransomware attack targeting VMware ESXi Servers, has been identified.

The attack exploits a known vulnerability that was patched in February 2021 (CVE-2021-21974). The attack has been reported on ESXI servers around the global, affecting organizations in France, Finland, Italy, Canada, and the US.

VMware has described the exploited by the ransomware vulnerability as an OpenSLP heap-overflow issue that could result in the execution of arbitrary code.

This massive attack on ESXi servers is considered one of the most extensive ransomware cyberattacks ever reported on non-Windows machines.

Until recently, ransomware attacks had been primarily focused on Windows-based machines, but cybercriminals have now realized the importance of Linux servers for the systems of institutions and organizations. This prompted them to develop a powerful cyber weapon and make ransomware more sophisticated. Based on current analysis, the impact of this ransomware attack is not limited to specific targeted service providers.

Thus, the damage is likely more widespread than initially reported.

 

CVE(s) 

CVE-2021-21974

BASE SCORE: 5.8 Medium   VECTOR: (AV:A/AC:L/Au:N/C:P/I:P/A:P)

 

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

 

Affected Systems

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

 

Recommendation(s) 

Workarounds, provided by the vendor, for mitigating the risk of the “CVE-2021-21974” exploitation, can be found in the below links:

The guidelines below will help you protect against Ransomware and its associated security threats:

  • Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
  • Consider enabling the “Show hidden file-extensions”. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
  • Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “.scr”, “.bat” files, or to deny mails sent with files that have two file extensions, the last one being executable.
  • Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
  • Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
  • Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials sush as usernames, passwords, PIN codes, and similar information. Opening file attachments od clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
  • Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
  • If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
  • Keep your antivirus up to date and use real time protection.
  • It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network.

 

References 

https://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/

https://www.securityweek.com/esxiargs-ransomware-hits-over-3800-servers-as-hackers-continue-improving-malware/

 https://www.scmagazine.com/brief/ransomware/widespread-vmware-esxi-ransomware-attack-impacts-over-3800-organizations

 https://nvd.nist.gov/vuln/detail/CVE-2021-21974

SIGN UP

Get the latest Threat Alerts in your inbox.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). By completing this form, you consent to the collection and processing of your personal data for the purpose of processing your inquiry. Your data will be handled securely and will not be shared with third parties without your explicit consent. You have the right to access, rectify, or delete your personal data at any time by contacting us at [email protected]. For more information on how we handle your data, please refer to our Privacy Notice