Unidentified attackers have begun a widespread ransomware campaign with the goal of infecting thousands of unpatched VMware ESXi servers by using a vulnerability that was patched about two years ago.
The French CERT (CERT-FR) and the French cloud computing firm OVH were the first to raise the alarm last week, claiming that the attackers were exploiting a security flaw tracked as CVE-2021-21974 to target ESXi hypervisors.
"As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," CERT-FR said.
"The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7," it added.
Attention, nous recevons de nombreux signalements liés à cette campagne ! A traiter en urgence ! https://t.co/7f40u17MWq
— Mathieu Feuillet (@MathieuFeuillet) February 3, 2023
According to security experts, CVE-2021-21974 is caused by a memory overflow in the OpenSLP service, which unauthenticated threat actors may use to remotely execute code without requiring prior authentication.
The new ransomware family that has been dubbed "ESXiArgs" encrypts files with the .vmx, .vmxf, .vmsd, .vmdk, and .nvram extensions on hacked ESXi hosts and generates .args files for each encrypted document.
Michael Gillespie of ID Ransomware examined a copy of the ESXiArgs encryptor and found that it was secure with no obvious cryptographic weaknesses that would enable decryption.
< ..
Support the originator by clicking the read the rest link below.
