Security researchers have warned of two VMWare ESXi hypervisor flaws that ransomware gangs are using to encrypt virtual hard drives.
The vulnerabilities, CVE-2019-5544 and CVE-2020-3992, exist in the ESXi hypervisor that enables multiple virtual machines (VMs) to share the same storage hardware. The flaws affect the Service Layer Protocol (SLP), which allows computers and other devices to find services in a local area network without prior configuration.
According to reports, hackers have exploited the flaws to send malicious SLP requests to an ESXi device and take it over. Cyber criminals behind the RansomExx ransomware have been launching attacks since October 2020.
The cyber criminals gained access to devices on corporate networks and are using this as a springboard to attack other ESXi VMs and encrypt virtual hard drives.
According to a Reddit post, hackers have encrypted 1,000 VMs at Brazil’s Superior Tribunal de Justica (Brazil’s equivalent of the Supreme Court). Other victims have had VMs shut down and datastores encrypted and left with a ransom note at the datastore level.
Such attacks have been confirmed by security researcher Kevin Beaumont, who said hackers have used these vulnerabilities to bypass Windows security to shut down VMs and encrypt VMDKs directly on the hypervisor.
Currently, security researchers have only observed the RansomExx crime group abusing these flaws. However, researchers also believe the criminals behind the Babuk Locker ransomware have deployed similar tactics.
According to cyber security firm Kela, other cyber criminals have been selling access to ESXi instances on underground forums for thousands of dollars, which could explain the link between the ESXi flaws and the ransomware attacks using them.
System administrators have been urged to update their VMWare ESXi installs or disable SLP support to secure them.
Natalie Page, cyber threat intelligence analyst at Sy4 Security, told ITPro that VMWare is a lucrative platform for attackers to target due to its global prevalence.
“Luckily the recommendations in this instance are pretty straight forward, users of VMWare ESXi should prioritize implementing patches for both CVE-2019-5544 and CVE-2020-3992 or disable SLP support to prevent attacks if the protocol isn't needed,” Page said.
-
The unseen risk in Microsoft 365: disaster recoveryBusinesses that assume they’re covered for data backup could come unstuck in a time of crisis
-
Anthropic CEO Dario Amodei's prediction about AI in software development is nowhere nearly to becoming a realityNews In March, Anthropic CEO Dario Amodei claimed up to 90% of code would be written by AI within six months – his prediction hasn't quite come to fruition.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
