IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers encrypt virtual hard disks using two VMWare ESXi vulnerabilities

Hypervisor flaws enable hackers to send requests to devices and take control

VMWare building with arched glass front

Security researchers have warned of two VMWare ESXi hypervisor flaws that ransomware gangs are using to encrypt virtual hard drives.

The vulnerabilities, CVE-2019-5544 and CVE-2020-3992, exist in the ESXi hypervisor that enables multiple virtual machines (VMs) to share the same storage hardware. The flaws affect the Service Layer Protocol (SLP), which allows computers and other devices to find services in a local area network without prior configuration.

According to reports, hackers have exploited the flaws to send malicious SLP requests to an ESXi device and take it over. Cyber criminals behind the RansomExx ransomware have been launching attacks since October 2020.

The cyber criminals gained access to devices on corporate networks and are using this as a springboard to attack other ESXi VMs and encrypt virtual hard drives.

According to a Reddit post, hackers have encrypted 1,000 VMs at Brazil’s Superior Tribunal de Justica (Brazil’s equivalent of the Supreme Court). Other victims have had VMs shut down and datastores encrypted and left with a ransom note at the datastore level.

Such attacks have been confirmed by security researcher Kevin Beaumont, who said hackers have used these vulnerabilities to bypass Windows security to shut down VMs and encrypt VMDKs directly on the hypervisor.

Currently, security researchers have only observed the RansomExx crime group abusing these flaws. However, researchers also believe the criminals behind the Babuk Locker ransomware have deployed similar tactics. 

According to cyber security firm Kela, other cyber criminals have been selling access to ESXi instances on underground forums for thousands of dollars, which could explain the link between the ESXi flaws and the ransomware attacks using them.

System administrators have been urged to update their VMWare ESXi installs or disable SLP support to secure them.

Natalie Page, cyber threat intelligence analyst at Sy4 Security, told ITPro that VMWare is a lucrative platform for attackers to target due to its global prevalence.

“Luckily the recommendations in this instance are pretty straight forward, users of VMWare ESXi should prioritize implementing patches for both CVE-2019-5544 and CVE-2020-3992 or disable SLP support to prevent attacks if the protocol isn't needed,” Page said.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022