Security News > 2023 > February > Massive ransomware operation targets VMware ESXi: How to protect from this security threat

CVE-2021-21974 is a vulnerability affecting OpenSLP as used in VMware ESXi.

The French government's Computer Emergency Response Team CERT-FR was the first to raise an alert on ransomware exploiting this vulnerability on Feb. 3, 2023, quickly followed by French hosting provider OVH. Attackers can exploit the vulnerability remotely and unauthenticated via port 427, which is a protocol that most VMware customers do not use.

Figure A. The ransomware threat actor behind this attack is not known, as the malware seems to be a new ransomware.

The Babuk code that leaked in 2021 has been used to create other malware that often targets ESXi systems, but it seems too early to draw a definitive conclusion as to the attribution of that new malware, which has been dubbed ESXiArgs by security researchers.

The next step consists of reinstalling the hypervisor in a version supported by VMware - ESXi 7.x or ESXi 8.x - and applying all security patches.

Jan Lovmand, chief technology officer of BullWall, a cybersecurity firm focused on preventing ransomware attacks, told TechRepublic more about the vulnerability.

News URL

https://www.techrepublic.com/article/massive-ransomware-operation-targets-vmware-esxi/