Ransomware Targeting VMware Vulnerability Has Hit Hundreds Of Servers In US, Canada: Cyber Firm
VMware says that in addition to updating to the latest versions of the affected software, it continues to recommend that customers disable the vulnerable service in older versions of ESXi.
The “ESXiArgs” ransomware has impacted several hundred VMware ESXi servers in the U.S. and Canada by exploiting a two-year-old vulnerability, according to the latest data from cybersecurity firm Censys.
The firm’s data, which was initially reported by Bleeping Computer, shows that 362 servers in the U.S. and 240 servers in Canada had been affected by the ransomware, as of this writing.
[Related: Patching Urged For ‘Critical’ VMware vRealize Vulnerabilities]
More than 2,400 servers running the VMware ESXi hypervisor are currently impacted in total, and the U.S. and Canada rank second and fourth, respectively, in terms of the countries hardest hit by the ransomware campaign. France has seen the largest number of impacted servers, according to Censys.
The ransomware attacks are reportedly targeting servers that have not been patched against a vulnerability first disclosed in 2021 and tracked at CVE-2021-21974. The vulnerability specifically affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.
VMware disabled the OpenSLP service in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, the company noted an updated advisory Monday.
VMware said that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” and that it also continues to recommend that customers disable the OpenSLP service in ESXi.
“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks,” the company said in its update. “Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs).”
Data from cybersecurity firm Cyble confirmed that hundreds of servers in the U.S. and Canada have been impacted in the ESXiArgs ransomware attacks, though their data posted Monday showed lower totals. Citing the Shodan search engine, Cyble reported that nearly 200 VMware servers in the U.S. and more than 50 in Canada were affected.
Along with updating VMware ESXi to the latest versions, Cyble said in its post that “conducting a full system scan to identify potential security breaches is highly recommended. Additionally, users and administrators should evaluate if it is feasible to turn off port 427, which was the target of a ransomware attack, without affecting the system’s normal functioning.”