On Monday, VMware stated that the organization had not discovered proof that threat actors were using a zero-day vulnerability in its software as part of an ongoing global ransomware attack campaign.
The virtualization services provider stated that most complaints indicate that End of General Support (EoGS) or significantly out-of-date products are being targeted with known vulnerabilities that have already been patched and publicized in VMware Security Advisories (VMSAs).
VMware has announced that “In 2021, ESXi 7.0 U2c and ESXi 8.0 GA were delivered with the service disabled by default, which came when unpatched and unprotected VMware ESXi servers worldwide have been hotspot targets for a massive ransomware campaign. Most of these exploits will likely use a two-year-old vulnerability that VMware addressed in February 2021.
Additionally, the organization advises users to update to the most recent supported releases of vSphere components to resolve known concerns and disable the OpenSLP service in ESXi.
The vulnerability tracked as CVE-2021-21974 is a Remote code execution in the OpenSLP service in VMware ESXi, which allows a remote attacker to execute arbitrary code on the target system, which exists due to a boundary error when processing packets within the OpenSLP service. A remote non-authenticated attacker on the local network can send specially crafted SLP messages to port 427/TCP to trigger a heap-based buffer overflow and execute arbitrary code on the target system.
GreyNoise data reveals that since February 4, 2023, 19 IP addresses have attempted to exploit the ESXi vulnerability. With just one malicious exploitation discovered in the Netherlands, 18 of the 19 IP addresses are categorized as benign. Following these attacks, threat actors appear to target ESXi servers that are accessible via OpenSLP port 427 and have been seen to request victims to pay 2.01 Bitcoin to retrieve the encryption key required to decrypt their files.
Recommendations
- Maintain good cyber hygiene
- Maintain good backup
- Update ESXi and should not be exposed to the internet.
