Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has refuted claims that two-year-old vulnerabilities have been exploited in the ongoing ESXiArgs ransomware attacks.
Over the weekend, reports emerged about cybercriminals exploiting a two-year-old vulnerability in virtualization services provider VMware in a ransomware campaign. French CERT (Computer Emergency Response Team) said the campaign has been active since February 3rd, 2023.
Moreover, Italy’s ACN (National Cybersecurity Agency) issued a warning about a large-scale ransomware campaign. The agency noted that attackers were aiming to target thousands of organizations across Europe and North America.
It was also reported that VMware’s ESXi servers were vulnerable, as these had not been patched against a remotely exploitable flaw discovered in 2021. Attackers compromised the server and added a ransomware variant called ESXiArgs.
For your information, ESXi is VMware’s hypervisor technology, which allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server.
The vulnerability is tracked as CVE-2021-21974 and assigned a CVSS rating of 8.8. It is an OpenSLP heap-based buffer overflow flaw, which an unauthorized actor can exploit to gain remote code execution. A fix for it was released on February 23, 2021, by VMware.
However, on Monday, VMware denied the news and stated they could not find any evidence that threat actors were trying to leverage a zero-day in its software in a worldwide active ransomware campaign.
“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” said Edward Hawkins, the High-Profile Product Incident Response Manager at VMware in a blog post.
The company has advised its customers to upgrade to its latest vSphere components release to mitigate the threat. Furthermore, the company recommends disabling the OpenSLP service in ESXi. It is worth noting that the service was disabled by default in ESXi 7.0 U2c and ESXi 8.0 GA, shipped in 2021.
According to GreyNoise data, 19 unique IP addresses have attempted to exploit the ESXi vulnerability since February 4, 2023. Eighteen IP addresses were classified as benign, whereas one instance of malicious exploitation of the issue was reported in the Netherlands.
The intrusion involved exploiting the already-susceptible ESXi servers, which were exposed to the internet on the OpenSLP port 427. The victims were asked to pay 2.01 Bitcoin or $45,990 in exchange for the encryption key for file recovery. But so far, there are no reports of data exfiltration.
The U.S. CISA is investigating the ESXiArgs campaign. According to the agency’s spokesperson, they have collaborated with private and public sector partners to analyze the impact of the reported incidents and offer assistance where required.
“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” they added.