Legacy VMware Bug Exploited in Global Ransomware Campaign

Written by

VMware customers are being urged to patch a vulnerability on their ESXi hypervisors first disclosed in 2021, in order to mitigate the impact of an ongoing ransomware campaign.

Government cybersecurity experts in France, Singapore and elsewhere have sounded the alarm after reports emerged of servers being compromised in Italy, France, Finland, the US and Canada.

Reuters reported dozens of servers in Italy as compromised, but the true scale of the global threat is still unknown. A Shodan search from dark web intelligence vendor DarkFeed revealed over 300 victims, although even this is likely to be the tip of the iceberg.

Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) appear to be aware of the campaign but had not released any official statement at the time of writing.

The vulnerability in question, CVE-2021-21974, enables attackers to perform remote code execution by triggering a heap-overflow issue in OpenSLP.

It impacts the following ESXi versions:

  • ESXi versions 7.x earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

“Users and administrators of affected product versions are advised to upgrade to the latest versions immediately,” urged the Singapore Computer Emergency Response Team (SingCERT).

“As a precaution, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations.”

The CERT also published the IP addresses associated with the ransomware actors, so that administrators can update firewall rules to block them.

The SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise, the French CERT (CERT-FR) added.

The identity of the group behind the campaign is currently unknown, although DarkFeed said each Bictoin wallet provided to victims for payment is different. There’s no leak site linked to the group, only a Tox messaging app ID to contact.

Editorial credit icon image: Pavel Kapysh / Shutterstock.com

What’s hot on Infosecurity Magazine?