A new wave of exploit attempts are targeting an old vulnerability in VMware ESXi with the goal of installing the ESXiArgs ransomware on compromised instances.
The ransomware attacks emerged last week and have continued over the weekend, with more than 2,000 ESXi instances compromised so far. The vulnerability that the attacks target (CVE-2021-21974) has been known publicly for about two years and VMware released a fix for it on Feb, 23, 2021. The bug lies in the OpenSLP implementation in ESXi hypervisors, and an attacker who can exploit it may be able to gain remote code execution.
On Friday, the French CERT published an advisory about the new spate of ransomware infections resulting from exploitation of the bug. The attacks are targeting ESXi versions 6.x prior to 6.7.
“In the current state of investigations, these attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows an attacker to remotely exploit arbitrary code,” the advisory says.
“Updating a product or software is a delicate operation that must be carried out with caution. In particular, it is recommended to carry out tests as much as possible. Provisions must also be made to guarantee continuity of service in the event of difficulties when applying updates such as patches or version changes.”
Data from GreyNoise shows that 17 unique IP addresses have been attempting to exploit the ESXi vulnerability in the last two days. The ransomware that attackers are deploying after exploiting the flaw is known as ESXiArgs and behaves like other ransomware variants, encrypting files and demanding a payment for the decryption key.
Organizations that have not yet patched the vulnerability may already have been compromised by the campaign. If patching isn’t an option at the moment, organizations can disable the SLP service on vulnerable ESXi instances.