Update on the VMware ESXi vulnerability exploitation.

More information has come to light regarding the widespread ransomware attacks exploiting a two-year-old vulnerability in VMware ESXi servers.

Ransomware campaign is widespread in Europe and North America.

The ransomware, which is being tracked as “ESXiArgs,” appears to be a new strain. SC Media reports that Europe is the hardest-hit region, followed by North America. Reuters quotes the US Cybersecurity and Infrastructure Security Agency (CISA) as saying, “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed.”

VMware yesterday published the following statement:

“We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs). You can sign up for email and RSS alerts when an advisory is published or significantly modified on our main VMSA page.

“With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi. In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.”

Industry comment.

Bernard Montel, EMEA Technical Director and Security Strategist at Tenable, offered the following comments:

“The sad truth is that we often see known vulnerabilities, with an exploit available, left unpatched. This puts organisations at incredible jeopardy of being successfully penetrated. In this case, with the 2-year old VMWare vulnerability, the threat is immense given the active exploitation.

“Virtualisation is at the heart of most organisations’ cloud strategy – whether on-premise, public or hybrid, with the hypervisor the backbone of IT. Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything. If threat actors are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection.

“The issue for many organisations is evaluating uptime, versus taking something offline to patch. In this case, the calculation really couldn’t be more straightforward – a few minutes of inconvenience or days of disruption.

“We know that threat actors favour known vulnerabilities impacting popular software — including Open Source, VMWare, ManageEngine, PrintNightmare and ProxyShell. Threat actors target these flaws knowing they can abuse admin rights to traverse the network and inflict damage, even holding sensitive information systems and data to ransom. For business continuity, its imperative security teams determine how to address exploited vulnerabilities while minimising the impact to the organisation instead of leaving known flaws unaddressed.”