{"id":16957,"date":"2023-02-07T16:33:07","date_gmt":"2023-02-07T15:33:07","guid":{"rendered":"https:\/\/www.show.it\/vmware-says-no-evidence-of-zero-day-exploitation-in-esxiargs-ransomware-attacks\/"},"modified":"2023-02-07T16:33:07","modified_gmt":"2023-02-07T15:33:07","slug":"vmware-says-no-evidence-of-zero-day-exploitation-in-esxiargs-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/vmware-says-no-evidence-of-zero-day-exploitation-in-esxiargs-ransomware-attacks\/","title":{"rendered":"VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks"},"content":{"rendered":"

VMware has urged customers to take action as unpatched ESXi servers continue to be targeted in ESXiArgs ransomware attacks.<\/strong><\/p>\n

Hackers are exploiting CVE-2021-21974<\/a>, a high-severity ESXi remote code execution vulnerability related to OpenSLP that VMware patched in February 2021. Following successful exploitation, unidentified threat actors have deployed file-encrypting ransomware that targets virtual machines.\u00a0<\/p>\n

Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now.\u00a0<\/p>\n

In a blog post published on its Security Response Center on Monday, VMware said<\/a> there is no evidence that the attacks involve exploitation of a zero-day vulnerability.\u00a0<\/p>\n

\u201cMost reports state that End of General Support (EOGS) and\/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories,\u201d the virtualization giant said.\u00a0<\/p>\n

Attacks are possible because many organizations are running old and unpatched software.<\/p>\n

\u201cI\u2019ve assessed nearly 500 owned boxes this evening, all of them are on old software releases. A shocking amount of orgs run ESXi on long end of life versions,\u201d researcher Kevin Beaumont said<\/a> on Monday.\u00a0<\/p>\n

ESXiArgs ransomware attacks appear to have started<\/a> on or around February 3. As of February 7, Censys<\/a> shows nearly 2,500 compromised servers and Shodan<\/a> shows more than 1,600. Most of the hacked systems are located in France, followed by the United States.\u00a0<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

On compromised systems, the hackers drop a ransom note instructing victims to pay roughly $50,000 in bitcoins in order to recover their files and prevent them from getting leaked. While the cybercriminals claim to have stolen data that they will sell unless a ransom is paid, there does not appear to be any evidence to date that files have actually been stolen in ESXiArgs attacks.<\/p>\n

As for the malware used in these attacks, it seems to target files associated with virtual machines.\u00a0<\/p>\n

In some cases, the malware\u2019s encryption routine can partially fail, which could allow some victims to recover their data without paying a ransom. However, recovering files that have been properly encrypted seems impossible for the time being.<\/p>\n

Cyble has published a technical analysis of the malwar<\/a>e, including information on VM configuration file modifications, file encryption, persistence, and cleanup.\u00a0<\/p>\n

Government cybersecurity agencies around the world, including in the United States, have issued alerts over the ESXiArgs ransomware attacks.<\/p>\n

Related:<\/strong> VMware Patches VM Escape Flaw Exploited at Geekpwn Event<\/a><\/p>\n

Related:<\/strong> <\/strong>VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities<\/a><\/p>\n

The post VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

VMware has urged customers to take action as unpatched ESXi servers continue to be targeted in ESXiArgs ransomware attacks. Hackers are exploiting CVE-2021-21974, a high-severity ESXi remote code execution vulnerability related to OpenSLP that VMware patched in February 2021. Following successful exploitation, unidentified threat actors have deployed file-encrypting ransomware that targets virtual machines.\u00a0 Technical details […]<\/p>\n","protected":false},"author":2,"featured_media":16958,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[96,23],"tags":[],"class_list":["post-16957","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","category-vulnerabilities"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16957","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16957"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16957\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16958"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16957"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16957"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16957"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}