Ransomware attacks exploiting VMware ESXi servers

VMware has advised its customers to urgently apply the latest security updates and disable the OpenSLP service that has been targeted in ransomware attacks against internet-exposed and vulnerable ESXi servers.

The bug, formally identified as CVE-2021-21974, is an OpenSLP heap-overflow vulnerability that could allow an attacker to execute arbitrary code on open port 427.

“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware stated.

The issue is not a zero-day vulnerability; a patch to mitigate this issue has existed since February 23, 2021.

“Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),” VMware said.

The specific ransomware, known as “ESXiArgs ransomware”, has already impacted thousands of vulnerable ESXi servers globally. The attackers use malware to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra on compromised ESXi servers, according to BleepingComputer.

Security researcher Enes Sonmez created a free guide that may assist some administrators in rebuilding their virtual machines and recovering data for free. BleepingComputer also has a dedicated ESXiArgs support topic.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.