Security News

VMware has released a vSphere ESXi update that addresses a known issue causing some Windows Server 2022 virtual machines to no longer boot after installing this month's KB5022842 update. Microsoft first acknowledged the issue on Thursday when the company said it only impacts VMs with Secure Boot enabled and running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. Although Redmond says that only VMware ESXi VMs are affected, some Windows admin reports hint at other hypervisor platforms being impacted by similar boot problems after deploying this month's updates.

Thousands of unpatched VMware ESXi servers hit by ransomware via old bugLate last week, unknown attackers launched a widespread ransomware attack hitting VMware ESXi hypervisors via CVE-2021-21974, an easily exploitable vulnerability that allows them to run exploit code remotely, without prior authentication. Reddit breached: Internal docs, dashboards, systems accessedPopular social news website and forum Reddit has been breached and the attacker "Gained access to some internal docs, code, as well as some internal dashboards and business systems," but apparently not to primary production systems and user data.

This subgroup, which is called Conti Team 1, released the Zion ransomware before rebranding it as Royal ransomware. Royal spread so fast because it became the ransomware making the biggest number of victims in November 2022, taking the lead in front of the LockBit ransomware.

New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. Last Friday, a massive and widespread automated ransomware attack encrypted over 3,000 Internet-exposed VMware ESXi servers using a new ESXiArgs ransomware.

Here's some more bad news: the ransomware used in this attack, which you'll see referred to variously as ESXi ransomware and ESXiArgs ransomware, seems to be a general-purpose pair of malware files, one being a shell script, and the other a Linux program. In other words, altough you absolutely need to patch against these old-school VMWare bugs if you haven't already, there's nothing about this malware that inextricably locks it to attacking only via VMWare vulnerabilities, or to attacking only VMWare-related data files.

CVE-2021-21974 is a vulnerability affecting OpenSLP as used in VMware ESXi. The French government's Computer Emergency Response Team CERT-FR was the first to raise an alert on ransomware exploiting this vulnerability on Feb. 3, 2023, quickly followed by French hosting provider OVH. Attackers can exploit the vulnerability remotely and unauthenticated via port 427, which is a protocol that most VMware customers do not use.

We and our store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning.

Late last week, unknown attackers launched a widespread ransomware attack hitting VMware ESXi hypervisors via CVE-2021-21974, an easily exploitable vulnerability that allows them to run exploit code remotely, without prior authentication. Patches for CVE-2021-21974, a vulnerability in ESXi's OpenSLP service, have been provided by VMware two years ago, and this attack has revealed just how many servers are out there are still unpatched, with the SLP service still running and the OpenSLP port still exposed.

France's Computer Emergency Response Team has issued a Bulletin D'Alerte regarding a campaign to infect VMware's ESXI hypervisor with ransomware. Targets don't come much richer than ESXi - the bare metal hypervisor can afford access to many guest machines that run apps and store data.

Royal Ransomware is the latest ransomware operation to add support for encrypting Linux devices to its most recent malware variants, specifically targeting VMware ESXi virtual machines. The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center, and is executed using the command line.