Security News > 2023 > February > Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
Admins, hosting providers, and the French Computer Emergency Response Team warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.
"As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," CERT-FR said.
To block incoming attacks, admins have to disable the vulnerable Service Location Protocol service on ESXi hypervisors that haven't yet been updated.
French cloud provider OVHcloud has also published a report today linking this massive wave of attacks targeting VMware ESXi servers with the Nevada ransomware operation.
"The attack is primarily targetting ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port."
From the ransom notes seen in this attack, they do not appear to be related to the Nevada Ransomware, and appears to be a new ransomware family.
News URL
Related news
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- Meet Interlock — The new ransomware targeting FreeBSD servers (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-24 | CVE-2021-21974 | Out-of-bounds Write vulnerability in VMWare Cloud Foundation and Esxi OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. | 8.8 |