VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

Share This Post

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide.

“Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” the virtualization services provider said.

The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.

“In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default,” VMware added.

The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a large-scale ransomware campaign dubbed ESXiArgs by likely exploiting a two-year-old bug VMware patched in February 2021.

The vulnerability, tracked as CVE-2021-21974 (CVSS score: 8.8), is an OpenSLP heap-based buffer overflow vulnerability that an unauthenticated threat actor can exploit to gain remote code execution.

The intrusions appear to single out susceptible ESXi servers that are exposed to the internet on OpenSLP port 427, with the victims instructed to pay 2.01 Bitcoin (about $45,990 as of writing) to receive the encryption key needed to recover files. No data exfiltration has been observed to date.

Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023. 18 of the 19 IP addresses are classified as benign, with one sole malicious exploitation recorded from the Netherlands.

“ESXi customers should ensure their data is backed up and should update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur,” Rapid7 researcher Caitlin Condon said. “ESXi instances should not be exposed to the internet if at all possible.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

The Hacker News

Read More

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .