New ransomware campaign targets old VMware flaw patched two years ago
PSA: If you are an ESXi server administrator, be sure you are running the latest EXSi software. This advice normally goes without saying, but hackers are currently running a ransomware campaign that exploits an ancient (in tech terms) bug in the system. This problem would not happen if ESXi admins were practicing proper security hygiene, says VMware.
Over the weekend, security researchers discovered that malicious actors are remotely exploiting a bug in VMware ESXi servers from two years ago. VMware’s ESXi is a hypervisor that allows a server to host multiple virtual machines running various operating systems.
According to the Computer Emergency Response Team in France (CERT-FR) criminals are targeting vulnerable systems in the country with a malware variant called “ESXiArgs.” Cybersecurity officials in Italy confirmed the ransomware is also hitting systems all over Europe and North America.
The attacks have been going on since at least February 3 and have affected more than 3,200 VMware servers globally. As old as this security flaw is, it is remarkable how widespread the attacks are. A Censys search notes that the hardest hit was France, with 915 compromised systems. The US, Germany, Canada, and the UK fill out the top five in their respective positions and comprise over half of the attacks counted. Censys is tracking it in 15 other countries as well.
Cybersecurity and Infrastructure Security Agency (CISA) officials in the US said they are looking into the situation and are helping affected companies and organizations.
🌐 A new #ransomware attack is spreading like crazy 🚨
Many VMware ESXi servers got encrypted in the last hours with this ransom note 🧐
What’s interesting is that the bitcoin wallet is different in every ransom note. No website for the group, only TOX id ‘ pic.twitter.com/mgyoLxbXvg
— DarkFeed (@ido_cohen2) February 3, 2023
“CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a spokesperson told TechCrunch. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”
Compromised VMware servers that have not been updated in years can fall victim to “low-complexity” remote attacks that do not require knowing any employee credentials. The ransomware then encrypts the data and issues a ransom demand.
So far, officials and researchers are unsure who is behind the attacks. Deep Web Intelligence Feed tweeted screenshots of the ransomware showing that attackers are asking for about 2.064921 Bitcoin (about $19,000 US) to free the servers. DarkFeed notes that each ransom note lists a different Bitcoin wallet. OVHcloud initially blamed the campaign to Nevada Ransomware but has since recanted, saying, “No material can lead us to attribute this attack to any group.”
VMware says the attacks can only happen when admins have not updated their ESXi software in years. Spokeswoman Doreen Ruyak told TechCrunch that the developers became aware of the security hole designated CVE-2021-21974 and patched it in a February 2021 security advisory. She urges all organizations to ensure they are running a current version of the software to protect themselves.
“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory,” Ruyak said.