Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations around the world.
Reports emerged over the weekend that VMware ESXi servers that were vulnerable and unpatched against a 2021 remotely exploitable bug were compromised and encrypted by a ransomware variant called “ESXiArgs”. ESXi is VMware’s hypervisor, a technology that allows organizations to host multiple virtualized computers running multiple operating systems on a single physical server.
The French computer emergency team CERT-FR reports that the cybercriminals have been targeting VMware ESXi servers since February 3, while Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers in Europe and North America.
US cybersecurity officials have also confirmed that they are investigating the ESXiArgs campaign.
“CISA is working with our public and private sector partners to assess the impact of these reported incidents and provide assistance as needed,” the U.S. cybersecurity unit under Homeland Security said. Reuters in a statement. (A CISA spokesperson did not immediately comment when businessroundups.org reached out.)
Italian cybersecurity officials warned that the EXSi flaw could be exploited by unauthenticated threat actors in low-complexity attacks that do not rely on the use of employee passwords or secrets, the government said. Italian news agency ANSA. The ransomware campaign is already causing “significant” damage due to the number of unpatched machines, a local press release reports.
So far, more than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign. according to a Censys search (through Beeping computer). France is the most affected country, followed by the US, Germany, Canada and the UK.
It is not clear who is behind the ransomware campaign. French cloud computing provider OVHCloud walked back on the initial findings pointing to a link to the Nevada ransomware variant.
A copy of the alleged ransom note, shared by the threat intelligence provider Dark food, shows that the hackers behind the attack employed a “triple-extortion” technique, in which the attackers threaten to notify the victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin – about $19,000 in ransom money – with each bill representing a different bitcoin wallet address.
In a statement to businessroundups.org, VMware spokeswoman Doreen Ruyak said the company was aware of reports that a ransomware variant called ESXiArgs “appears to be exploiting the vulnerability identified as CVE-2021-21974and said patches for the vulnerability were “made available to customers two years ago in VMware’s February 23, 2021 security advisory.”
“Security hygiene is an important part of preventing ransomware attacks, and organizations using versions of ESXi affected by CVE-2021-21974 that have not yet applied the patch should take action as indicated in the advisory.” .
