Two weeks ago, VMware released a patch for a critical vulnerability in several versions of its vCenter Server product and urged customers to update as quickly as possible. Now, attackers are targeting unpatched servers, some using publicly available exploits, and installing webshells on compromised systems.
The vulnerability in vCenter (CVE-2021-21985) can give an attacker complete control of a target machine, and there are public proof-of-concept exploits available for it. In the days after VMware published the advisory, security vendor Rapid 7 saud it had identified about 6,000 vulnerable servers that were exposed to the Internet. Late last week, security researchers and companies that monitor scanning activity began reporting opportunistic exploit attempts against the vulnerability from a variety of sources. On June 3, Bad Packets, which monitors mass scanning activity, identified scans from an IP address in the Netherlands looking for vulnerable servers, and GreyNoise is showing scans and exploit attempts from a number of locations, including China, Germany, and the United States.
On June 4, researcher Kevin Beaumont mentioned on Twitter that a honeypot he maintains had been compromised with an exploit for the vCenter vulnerability and a webshell was installed afterward. The activity has picked up over the weekend, and on Saturday, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about the exploitation activity and again encouraged customers to update their installations of vCenter.
“CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system,” the CISA advisory says.
Although the Rapid 7 data showed nearly 6,000 vulnerable vCenter servers exposed to the Internet, that’s not the recommended configuration, and security experts advised enterprise teams not to connect those servers to the public Internet if at all possible.
“Don’t connect vCenter directly to the internet by design, especially the appliance version. The appliance version is closed box Linux with no AV; somebody drops a webshell on box and now it’s permanently backdoored (even if patched) with no way to know, and it has ESXi access,” Beaumont said.
The vulnerability affects versions 6.5, 6.7, and 7.0 of vCenter Server, as well as versions 3.x and 4.x of Cloud Foundation. VMware has advised customers that the threat of exploitation against this vulnerability is quite serious and encouraged them to install the updates immediately if they had not done so already.
“With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,” VMware said in an FAQ.
CC By 2.0 license image from Flickr.