Security News > 2023 > February > Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974)

Late last week, unknown attackers launched a widespread ransomware attack hitting VMware ESXi hypervisors via CVE-2021-21974, an easily exploitable vulnerability that allows them to run exploit code remotely, without prior authentication.

Patches for CVE-2021-21974, a vulnerability in ESXi's OpenSLP service, have been provided by VMware two years ago, and this attack has revealed just how many servers are out there are still unpatched, with the SLP service still running and the OpenSLP port still exposed.

The French CERT and French cloud computing company OVH were the first to sound the alarm on Friday evening, positing that the attackers are exploiting CVE-2021-21974 and urging owners of unpatched and still unaffected servers to quickly patch or disable the SLP service.

After some initial speculation about the ransomware the attackers use to encrypt vulnerable servers, it has been confirmed that it's a new ransomware family that has been dubbed ESXiArgs due to the targeted systems and the extension added to the encrypted virtual machines files.

Admins whose ESXi servers have not been hit have probably already implemented the patch offered by VMware, have disabled the SLP service, and/or have made the servers unreacheable from the internet.

There are many ransomware families - and other malware - out there capable of targeting VMware ESXi virtual machines and with a PoC exploit for CVE-2021-21974 being public, we can expect the threat actors wielding them to try the same trick.

News URL

https://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/