Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers

The Italian National Cybersecurity Agency (ACN) warns of an ongoing massive ransomware campaign targeting VMware ESXi servers.

The Italian National Cybersecurity Agency (ACN) warns of an ongoing massive ransomware campaign targeting VMware ESXi servers worldwide, including Italian systems. The attackers are attempting to exploit the CVE-2021–21974 vulnerability.

According to the ACN, most of the attacks targeted systems in France, followed by Finland, North America, Canada, and the United States.

The alert issued by the agency states that the Italian computer security incident response team Italy is aware of dozens of local organizations exposed to ransomware attacks exploiting the CVE-2021–21974 flaw in VMware ESXi servers.

“we have been able to make a census of several dozen national systems that are likely to be compromised and alerted numerous organizations whose systems are exposed but not yet compromised.” reads the alert published by ACN. “However, some systems exposed are yet to be compromised and for same of them it was not possible to track back the owners.”

Government experts urge organizations to immediately apply security patches to address the vulnerability and prevent its exploitation.

The vulnerability is an OpenSLP heap-overflow flaw in VMware ESXi that can be exploited by attackers to execute arbitrary code remotely on vulnerable devices. The vulnerability affects the following systems:

• ESXi 7.x versions earlier than ESXi70U1c-17325551
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG

The virtualization giant addressed the CVE-2021-21974 bug in February 2021.

According to the alert published by the ACM, the ransomware attacks were first reported by the France CERT (CERT-FR). CERT-FR reported that threat actors behind these ransomware attackers are actively exploiting the vulnerability CVE-2021-21974.

“On February 3, 2023, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.” reads the alert published by CERT-FR. “In the current state of investigations , these attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol ( SLP ) service and allows a attacker to remotely exploit arbitrary code. The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”

CERT-FR urges applying all patches available for the ESXi hypervisor, it also recommends performing a system scan to detect any signs of compromise.

The CERT-FR also recommends disabling the SLP service on ESXi hypervisors that have not been updated.

The ongoing ransomware attacks have been also reported by cloud service provider OVHcloud, which observed most of the attacks in Europe.

“A wave of attacks is currently targetting ESXi servers. No OVHcloud managed service are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.” reads the report published by OVH. “These attacks are detected globally and especially in Europe.”

BleepingComputer first reported that the attacks could be linked to a new ransomware family, tracked by ID Ransomware‘s Michael Gillespie as ESXiArgs.

The ransomware targets files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a “.args”file for each encrypted document with metadata.

Despite international cyber security agencies warn of ongoing cyber attacks exploiting the above issue, it is important to highlight that the success of these campaigns is the result of the lack of patch management. The patch for the CVE-2021–21974 bug was released two years ago, however, a large number of systems that are exposed online are yet to be patched.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021–21974)