Unpatched VMWare Vulnerability Used by Hackers to Target Servers and Spread Ransomware

MakeUseOf

By Katie Rees

Published Feb 7, 2023

Hackers are exploiting an unpatched VMWare vulnerability to target ESXi servers and spread ransomware.

An unpatched software bug present in VMWare's ESXi servers is being exploited by hackers with the goal of spreading ransomware across the globe.

Unpatched VMWare Servers Are Abused by Hackers

A two-year-old software vulnerability present in VMWare's ESXi servers has become the target of a widespread hacking campaign. The objective of the attack is to deploy ESXiArgs, a new ransomware variant. Hundreds of organizations are estimated to have been affected.

France's Computer Emergency Response Team (CERT) posted a statement on February 3, wherein the nature of the attacks was discussed. In the CERT post, it was written that the campaigns "seem to have taken advantage of the exposure of ESXi hypervisors that have not been updated with security patches quickly enough." CERT also noted that the bug being targeted "allow an attacker to perform a remote arbitrary code exploitation."

Organizations have been urged to patch the hypervisor vulnerability to avoid falling victim to this ransomware operation. However, CERT reminded readers in the aforementioned statement that "updating a product or software is a delicate operation that must be carried out with caution," and that "it is recommended to perform tests as much as possible."

VMWare Has Also Spoken About the Situation

digital graphic of chained padlock with skull on front

Along with CERT and various other entities, VMWare has also released a post on this global attack. In a VMWare advisory, it was written that the server vulnerability (known as CVE-2021-21974) could give malicious actors the ability to "trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."

VMWare also noted that it issued a patch for this vulnerability in February 2021, which can be used to cut off the malicious operators' attack vector and therefore avoid being targeted.

This Attack Does Not Seem to Be State-Run

Though the identities of the attackers in this campaign are not yet known, it has been said by Italy's National Cybersecurity Agency (ACN) that there is currently no evidence suggesting that the attack was carried out by any state entity (as reported by Reuters). Various Italian organizations were affected by this attack, as well as organizations in France, the US, Germany, and Canada.

Suggestions have been given as to who could be responsible for this campaign, with software from various ransomware families such as BlackCat, Agenda, and Nokoyawa, being considered. Time will tell whether the operators' identities can be uncovered.

Ransomware Attacks Continue to Pose a Major Risk

As the years pass, more and more organizations are falling victim to ransomware attacks. This mode of cybercrime has become incredibly popular among malicious actors, with this global VMWare hack showing just how widespread the consequences can be.