Admins, facilitating suppliers, and the French Computer Crisis Reaction Group (CERT-FR) caution that aggressors effectively target VMware ESXi servers unpatched against a two-year-old inaccessible code execution defenselessness to convey ransomware. Tracked as CVE-2021-21974, the security imperfection is caused by a pile flood issue within the OpenSLP benefit that can be abused by unauthenticated danger on-screen characters in low-complexity attacks.
“As current examinations, these assault campaigns show up to be misusing the powerlessness CVE-2021-21974, for which a fix has been accessible since 23 February 2021,” CERT-FR said. “The frameworks as of now focused on would be ESXi hypervisors in adaptation 6.x and earlier to 6.7.” To block incoming attacks, admins have to be impair the helpless Benefit Area Convention (SLP) benefit on ESXi hypervisors that haven’t however been updated. CERT-FR emphatically prescribes applying the fix as soon as conceivable but includes that frameworks cleared out unpatched ought to too be filtered to explore for signs
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
New ESXiArgs ransomware
Unused ESXiArgs ransomware However, from the deliver notes seen in this assault, they don’t show up to be related to the Nevada Ransomware, and show up to be from a unused ransomware family. Starting generally four hours back, casualties affected by this campaign have too started detailing the assaults on BleepingComputer’s gathering, inquiring for offer assistance and more data on how to recuperate their data. The ransomware scrambles records with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram expansions on compromised ESXi servers and makes a .args record for each scrambled report with metadata (likely required for decryption). While the danger on-screen characters behind this assault claim to have stolen information, one victim detailed within the BleepingComputer gatherings that it was not the case in their incident. “Our examination has decided that information has not been invaded. In our case, the assaulted machine had over 500 GB of information but ordinary every day utilization of as it were 2 Mbps. We looked into activity stats for the final 90 days and found no evide