CTI Advisory: Campaign Exploiting a Vulnerability Affecting VMware ESXi
- Remote arbitrary code execution
On February 3, 2023, CTI Advisory became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.
In the current state of investigations, these attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol ( SLP ) service and allows a attacker to remotely exploit arbitrary code.
“The attack is primarily targetting ESXi servers in version before 7.0 U3i, (6.x and prior to 6.7) apparently through the OpenSLP port (427)
However, CTI Advisory recalls that the CVE-2021-21974 vulnerability affects the following systems:
- ESXi 7.x versions earlier than ESXi70U1c-17325551
- ESXi versions 6.7.x earlier than ESXi670-202102401-SG
- ESXi versions 6.5.x earlier than ESXi650-202102101-SG
CTI Advisory recommends applying without delay the workaround proposed by the publisher in its blog post, which consists of disabling the SLP service on ESXi hypervisors that have not been updated.
Note: This change will prevent CIM clients from locating CIM servers through the SLP service.
[Clarification] CTI Advisory strongly recommends applying all patches available for the ESXi hypervisor.
Applying patches alone is not enough. Indeed, an attacker has probably already exploited the vulnerability and may have dropped malicious code. It is recommended to perform a system scan to detect any signs of compromise.
Updating a product or software is a delicate operation that must be carried out with caution. In particular, it is recommended to carry out tests as much as possible. Provisions must also be made to guarantee continuity of service in the event of difficulties when applying updates such as patches or version changes.
“According to experts from the ecosystem as well as authorities, they might be related to Nevada ransomware and are using CVE-2021-21974 as compromission vector. Investigations are still ongoing to confirm those assumptions,” OVHcloud CISO Julien Levrard said.
Dr Zakir Hussain, Security Advisor mentioned that At least 120 VMware ESXi servers worldwide have already been compromised in this ransomware campaign, according to a Shodan search. However, from the ransom notes seen in this attack, they do not appear to be related to the Nevada Ransomware and appear to be from a new ransomware family.
- VMware Security Advisory VMSA-2021-0002 dated February 23, 2021
- CVE reference CVE-2021-21974
-  Procedure to disable the SLP service