Ransomware Attack Targets VMware ESXi Servers

VMware servers around the world have suffered an extensive targeted ransomware attack, largest non-windows ransomware cyber attack on record.  

The French Computer Emergency Response Team and Italy’s national cybersecurity authority (ACN) officially warned organizations worldwide against a ransomware attack targeting thousands of multicloud service provider VMware ESXI servers, exploiting a known vulnerability which was first patched in February 2021 (CVE-2021-21974).

These agencies have now been joined by the US national cybersecurity agency, CISA, which has moved swiftly to release a recovery script for organizations that have fallen victim to ESXiArgs ransomware.

What Happened?

As VMWare servers provide services to thousands of other servers, which they store, the impact seems to be widespread globally, affecting organizations in France, Finland, Italy, Canada and the US. VMware described the weakness as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code.

Who Is Affected ?

Everyone who is running Unpatched (CVE-2021-21974) ESXi machines, exposed to the Internet with port 427. CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

Using a specific query on the Internet scanning platform Censys, researchers at Check Point report there are already more than 1,900 of infected ESXi devices, while most of the victims are from OVH and Hetzner service providers.

OVH offers bare metal machines with option to install ESXi on them. In many cases, customers then expose them to the internet and never patch. On February 3rd, OVH released a blog saying that they closed off port 427 for their customers, to mitigate the threat.

What Do We Know ?

Check Point says that this is the largest ransomware non-Windows attack on record. This massive attack on ESXi servers is considered one of the most extensive ransomware cyberattacks ever reported on non-Windows machines. What makes the situation even more worrying is the fact that until recently, ransomware attacks were more focused on Windows-based machines.

The ransomware threat actors have realized how crucial Linux servers are for the systems of institutions and organizations. This has certainly prompted them to invest in the development of such a powerful cyber weapon and to make ransomware so sophisticated.

According to Check Point's analysis, the risk of this ransomware attack is not limited only to the specific targeted service providers.

Cybercriminals exploited CVE-2021-21974, a flaw already reported in February 2021. But what can make the impact even more devastating is the use of these servers, on which other virtual servers are usually running. Thus, the damage is probably widespread, more than initially reported.

The Evolution Of Ransomware

In the early days, ransomware attacks were conducted by single entities who developed and distributed massive numbers of automated payloads to randomly selected victims, collecting small sums from each “successful” attack. Fast forward to 2023 and these attacks have evolved to become mostly human-operated processes, carried out by multiple entities over several weeks. The attackers carefully select their victims according to a desired profile, and implement a series of pressure measures to extort significant sums of money. Threats of exposing sensitive data have proven to be very effective.

Ransomware Attacks Impact On Corporates In 2022

Check Point’s ThreatCloud software provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. According to their data, globally, at least 1 out of every 13 organizations suffered an attempted Ransomware attack in the past year.

  • In APAC – 1 in 11 organizations
  • In EMEA – 1 in 12 organizations
  • In the Americas – 1 in 19 organizations

Analysis of the initial threat indications indicates that almost 50% of investigations involve ransomware infections and that the biggest risks are large-scales ransomware attacks and full network compromises.

Mitigation

VMware has published workarounds to assist server owners with mitigating the risk of the CVE’s exploitation. OVHcloud provided recommendations including emergency measures to customers using ESXi.

Prevent Ransomware Attacks

Up-to-Date Patches:    Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.

Keep your software updated:   Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Many developers are searching for new vulnerabilities and patching them out and Check Point recommends that uses to have a patch management strategy in place and to  make sure all team members are up to date with the latest versions.

Choose Prevention Over Detection:    Many claim that attacks will happen, and there is no way to avoid them, and therefore the only thing left to do is to invest in technologies that detect the attack once it has already breached the network and mitigate the damage as soon as possible. This is not true.

Not only can attacks be blocked, but they can be prevented, including zero-day attacks and unknown malware. With the right technologies in place, most attacks, even the most advanced ones, can be prevented without disrupting the normal business flow.

Robust Data Backup:   The goal of ransomware is to force the victim to pay a ransom to regain access to their encrypted data. However, this is only effective if the target loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent. However, it is important to ensure that the data backup solution cannot be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.

Anti-Ransomware Solutions:   While the previous ransomware prevention steps can help to mitigate an organization’s exposure to ransomware threats, they do not provide perfect protection. Some ransomware operators use well-researched and highly targeted spear phishing emails as their attack vector. These emails may trick even the most diligent employee, resulting in ransomware gaining access to an organization’s internal systems.

Conclusion

Protecting against this ransomware that “slips through the cracks” requires a specialized security solution. To achieve its objective, ransomware must perform certain anomalous actions, such as opening and encrypting large numbers of files.

Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done

You Might Also Read: 

Making Open-Source Software Safer:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Security Is Key To Remaining Innovative Amid Recession
The Latest Artificial Intelligence Technologies »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The Networking People (TNP)

The Networking People (TNP)

TNP supplies independent advice allowing large organisations to design, build and operate their own networks independently of the established telecoms companies.

Synology

Synology

Synology provides high-performance, reliable, and secure Network Attached Storage (NAS) products.

National Agency for the Security of Information Systems (ANSSI) - France

National Agency for the Security of Information Systems (ANSSI) - France

The role of Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) is to foster a coordinated, ambitious, pro-active response to cybersecurity issues in France.

Conference-Service.com

Conference-Service.com

Conference-Service.com provides a categorised calendar of conferences and events which includes Information Security.

National Information Technology Development Agency (NITDA) - Nigeria

National Information Technology Development Agency (NITDA) - Nigeria

The National Information Technology Development Agency (NITDA) is committed to implementing the Nigerian National Information Technology Policy.

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center is a not-for-profit organization focused on regional cybersecurity excellence and readiness, with a special emphasis on the maritime community.

GreyCampus

GreyCampus

GreyCampus is a leading provider of training for working professionals in the areas of Project Management, Big Data, Data Science, Service Management, Quality Management and Information Security.

Brainloop

Brainloop

Brainloop's security architecture enables you to work on and distribute strictly confidential documents both within and beyond the firewall.

Risk Ident

Risk Ident

RISK IDENT specializes in supporting enterprises in identifying and preventing criminal activity like payment fraud, account takeovers and identity theft.

Rippleshot

Rippleshot

Rippleshot is a fraud analytics firm that detects mass card compromises faster, allowing issuers to execute more proactive fraud detection strategies.

CPP Group UK

CPP Group UK

CPP Group UK develops products to help insurers add further value to their products and services through its innovative suite of new products in FinTech, InsurTech and cyber security.

Cyber Range Malaysia

Cyber Range Malaysia

With Cyber Range Malaysia organizations can train their security professionals in empirically valid cyber war-gaming scenarios necessary to develop IT staff skills and instincts for defensive action.

BlueRiSC

BlueRiSC

BlueRiSC invent cutting-edge system assurance solutions for the 21st century with novel software and hardware designs focusing on security technologies that can be game changing.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

Suresecure

Suresecure

Suresecure are a specialised consulting company providing Strategic IT security consulting, Managed Security Services, and Incident Response Management.

AddSecure

AddSecure

AddSecure is a leading European provider of secure IoT connectivity and end-to-end solutions.