Vulnerable VMware ESXi Servers Targeted in Ransomware Attacks

Summary

This NJCCIC Alert is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Ransomware groups are actively exploiting a 2-year-old heap-overflow vulnerability, CVE-2021-21974 (CVSS v3.1 8.8), affecting OpenSLP used in VMware ESXi servers for versions 6.x and prior to 6.7, though threat actors may be leveraging other vulnerabilities or attack vectors, as earlier builds of ESXi appear to have also been compromised. European cybersecurity agencies reported that thousands of servers have been targeted in ransomware attacks within the last week and analysts assess that the ransomware attacks may utilize a new variant called ESXiArgs. VMware ESXi 6.5 and VMware ESXi 6.7 are currently targeted in this campaign and should be prioritized for patching and mitigation; they are considered end-of-life as of October. Vulnerable ESXi servers exposed to the public internet are particularly at risk; there are approximately 245 public-facing ESXi servers in New Jersey.

The NJCCIC advises owners and operators of VMware ESXi to conduct full-system scans to ensure their systems have not been compromised and update to the latest patch levels as soon as possible after appropriate testing. Disable SLP port 427 for ESXi servers that cannot be immediately updated to mitigate against associated vulnerabilities. In some cases, encrypted virtual machine disks can be recovered; procedures for doing so can be found in the French CERT Alert Bulletin. Additional technical details on the ransomware campaign can be found in the BleepingComputer article.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.  Also, for more background on our recent cybersecurity efforts, please visit cyber.nj.gov.