Hundreds of organisations worldwide have been targeted by a hacking campaign exploiting VMware’s ESXi servers to deploy the new ESXiArgs ransomware variant.
French and Italian cyber security agencies issued an urgent warning last week after attackers were found to be actively targeting servers left unpatched against a two-year-old remote code execution (RCE) vulnerability.
Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service and can enable an attacker to remotely execute arbitrary code.
VMware confirmed it is aware of exploit reports, adding that it issued a patch in February 2021 upon discovery of the vulnerability. However, the vendor urged customers to immediately apply the patch if the ESXi hypervisor has not yet been updated.
Widespread exploitation
Analysis from ransomware monitoring service Darkfeed found that the spread of the ESXiArgs ransomware is “extensive” and could have affected at least 327 organisations worldwide.
“The most targeted system is from France on OVH cloud and Hetzner hosting,” the service said on Twitter. “But they have hit other hosting and cloud companies around that world.”
In a statement on 3 February, OVH confirmed it was responding to the wave of attacks, adding that its managed cloud service had not been impacted.
“A wave of attacks is currently targeting ESXi servers,” the company said. “No OVHcloud managed services are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.”
Royal ransomware
Initial speculation from OVH suggested that this campaign was related to the new Nevada ransomware strain, which first emerged in December last year.
However, reports over the weekend pointed towards the Royal Ransomware strain as a key driver behind the wave of attacks against ESXi virtual machines.
Royal Ransomware started launching attacks in early 2022, with the group made up of previous veterans of the infamous Conti ransomware gang.
The group has accelerated operations in recent months, focusing attacks on US-based healthcare organisations and specifically targeting Linux systems more recently.
Stefan van der Wal, consulting solutions engineer at Barracuda Networks said that the current campaign highlights the critical risk for organisations failing to update software.
RELATED RESOURCE
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment models
“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere appear to have exploited a vulnerability for which a patch was made available in 2021,” he said.
“This highlights how important it is to update key software infrastructure systems as quickly as possible.
“It isn’t always easy for organisations to update software. In the case of this patch, for example, organisations need to disable temporarily essential parts of their IT infrastructure. But it is far better to face that than to be hit by a potentially damaging attack.”
Van der Wal added that virtual machines are becoming an increasingly attractive target for ransomware gangs due to their use in running business-critical services and functions.
“Securing virtual infrastructure is vital,” he said. “It is particularly important to ensure that access to a virtual system’s management console is secured and can’t be easily accessed through a compromised account on the corporate network, for example.”
-
Everything we know about the Plex data breach so farNews Plex advised users to sign out of any connected devices that are currently logged in and enable two-factor authentication if they haven’t already.
-
Mainframes are back in vogueNews Mainframes are back in vogue, according to research from Kyndryl, with enterprises ramping up hybrid IT strategies and generative AI adoption.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
