Ransomware, Breach, Content

Ransomware Hackers Exploit Two-Year-Old VMware Vulnerability in Disruption Campaign

Thousands of computers in North America and Western Europe were attacked recently by unknown ransomware assailants that exploited a two-year VMware vulnerability that the companies had failed to patch, according to multiple reports.

The hackers reportedly went after VMware ESXi servers left unpatched against a remotely exploitable bug from 2021. ESXi is VMware’s hypervisor that enables organizations to run several virtual machines on one host computer and share memory, processing and other resources.

3,200 Sytems Attacked

So far, roughly 3,200 systems have been attacked, Bleeping Computer reported. It appears that financial gain was not at the root of the infections but instead, it looks like a campaign bent on disruption, reports said.

In Italy, the Italian ANSA news agency said the ransomware campaign had already caused “significant” damage owing to a high number of unpatched computers.

France appears to be the most affected country, followed by the U.S., Germany, Canada and the United Kingdom. Not only do the attacks underscore timely patching but also re-emphasize the importance of managed security service providers (MSSPs) assisting organizations to follow through on installing fixes.

A VMware spokesperson told TechCrunch that the company knew of the break, which “appears to be leveraging the vulnerability identified as CVE-2021-21974.”

The spokesperson confirmed that the exploit had been patched two years ago and made available to customers at that time:

“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory.”

CISA Enters Conversation

The U.S. the Cybersecurity and Infrastructure Security Agency (CISA) issued a statement to TechCrunch that said:

“CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed. Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”

France’s computer emergency response team (CERT-FR) said that the systems “currently targeted would be ESXi hypervisors in version 6.xz and prior to 6.7,” Bleeping Computer reported. Admins have to disable the vulnerable Service Location Protocol service on ESXi hypervisors that haven’t been patched to block an attack. Systems left unpatched should look for signs of compromise, CERT-FR said.

Patrice Auffret, founder and chief executive officer of Onyphe SAS, a French cybersecurity firm, told Bloomberg that the timing of the attacks was “chosen wisely, as systems administrators and security teams are nearly out for the weekend. The attackers probably wanted to finish their dirty job during the weekend for maximum impact.”

Exactly how and why each victim was chosen by the hackers remains unclear. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address, TechCrunch reported.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.