Global ransomware attack targets VMware ESXi servers


Attackers are exploiting a known vulnerability to target hundreds of servers in France, the USA, Germany, Finland, Italy, and other countries.

France’s Computer Emergency Response Team (CERT-FR) was among the first to notice the massive ransomware campaign, as hundreds of affected VMware ESXi servers were using French cloud service provider OVHcloud.

“[…] these campaigns seem to exploit the CVE-2021-21974 vulnerability, which has been patched since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows an attacker to execute arbitrary code remotely,” CERT-FR said on February 3.

ADVERTISEMENT

According to a ransomware note obtained by Darkfeed, a deep web monitoring feed, the attackers don’t direct victims to a ransomware leak site, as is a custom in the cyber underworld, instead providing the address to an encrypted messaging service.

Thousands of servers have been affected since attacks were noticed last week, Reuters claims, citing Italy’s National Cybersecurity Agency (ACN). Authorities advised users and institutions to protect their systems as the attack is ongoing.

Italy’s ANSA news agency, citing the ACN, reported that servers had been compromised in other European countries, such as France and Finland, as well as the United States and Canada.

Reuters claims that dozens of Italian organizations were likely to have been affected, and many more had been warned to take action to avoid being locked out of their systems.

A spokesperson for VMware told Reuters the software firm is aware of the report and that it issued patches in February 2021 when it discovered the vulnerability that is now being exploited. Users are urged to apply the patch if they have not done so.

VMware ESXi is a hypervisor, software that allows running and managing computers, such as servers, and virtual machines.

Security researchers scramble for fixes to decrypt the thousands of irresponsive services worldwide. According to cybersecurity expert Matthiey Gari, the attackers only encrypt the config files, allowing defenders to mitigate the damage somewhat.

ADVERTISEMENT