Hundreds of organisations worldwide have been targeted by a hacking campaign exploiting VMware’s ESXi servers to deploy the new ESXiArgs ransomware variant.
French and Italian cyber security agencies issued an urgent warning last week after attackers were found to be actively targeting servers left unpatched against a two-year-old remote code execution (RCE) vulnerability.
Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service and can enable an attacker to remotely execute arbitrary code.
VMware confirmed it is aware of exploit reports, adding that it issued a patch in February 2021 upon discovery of the vulnerability. However, the vendor urged customers to immediately apply the patch if the ESXi hypervisor has not yet been updated.
Widespread exploitation
Analysis from ransomware monitoring service Darkfeed found that the spread of the ESXiArgs ransomware is “extensive” and could have affected at least 327 organisations worldwide.
“The most targeted system is from France on OVH cloud and Hetzner hosting,” the service said on Twitter. “But they have hit other hosting and cloud companies around that world.”
In a statement on 3 February, OVH confirmed it was responding to the wave of attacks, adding that its managed cloud service had not been impacted.
“A wave of attacks is currently targeting ESXi servers,” the company said. “No OVHcloud managed services are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.”
Royal ransomware
Initial speculation from OVH suggested that this campaign was related to the new Nevada ransomware strain, which first emerged in December last year.
However, reports over the weekend pointed towards the Royal Ransomware strain as a key driver behind the wave of attacks against ESXi virtual machines.
Royal Ransomware started launching attacks in early 2022, with the group made up of previous veterans of the infamous Conti ransomware gang.
The group has accelerated operations in recent months, focusing attacks on US-based healthcare organisations and specifically targeting Linux systems more recently.
Stefan van der Wal, consulting solutions engineer at Barracuda Networks said that the current campaign highlights the critical risk for organisations failing to update software.
RELATED RESOURCE
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment models
“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere appear to have exploited a vulnerability for which a patch was made available in 2021,” he said.
“This highlights how important it is to update key software infrastructure systems as quickly as possible.
“It isn’t always easy for organisations to update software. In the case of this patch, for example, organisations need to disable temporarily essential parts of their IT infrastructure. But it is far better to face that than to be hit by a potentially damaging attack.”
Van der Wal added that virtual machines are becoming an increasingly attractive target for ransomware gangs due to their use in running business-critical services and functions.
“Securing virtual infrastructure is vital,” he said. “It is particularly important to ensure that access to a virtual system’s management console is secured and can’t be easily accessed through a compromised account on the corporate network, for example.”
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
