CTI Advisory: Campaign Exploiting a Vulnerability Affecting VMware ESXi

CTI Advisory: Campaign Exploiting a Vulnerability Affecting VMware ESXi

RISK(S)

Remote arbitrary code execution

SUMMARY

On February 3, 2023, CTI Advisory became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.

In the current state of investigations, these attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol ( SLP ) service and allows a attacker to remotely exploit arbitrary code.

“The attack is primarily targetting ESXi servers in version before 7.0 U3i, (6.x and prior to 6.7) apparently through the OpenSLP port (427)

However, CTI Advisory recalls that the CVE-2021-21974 vulnerability affects the following systems:

ESXi 7.x versions earlier than ESXi70U1c-17325551
ESXi versions 6.7.x earlier than ESXi670-202102401-SG
ESXi versions 6.5.x earlier than ESXi650-202102101-SG

TEMPORARY BYPASS

CTI Advisory recommends applying without delay the workaround proposed by the publisher in its blog post, which consists of disabling the SLP service on ESXi hypervisors that have not been updated.

Note: This change will prevent CIM clients from locating CIM servers through the SLP service.

SOLUTION

[Clarification] CTI Advisory strongly recommends applying all patches available for the ESXi hypervisor.

Applying patches alone is not enough. Indeed, an attacker has probably already exploited the vulnerability and may have dropped malicious code. It is recommended to perform a system scan to detect any signs of compromise.

Updating a product or software is a delicate operation that must be carried out with caution. In particular, it is recommended to carry out tests as much as possible. Provisions must also be made to guarantee continuity of service in the event of difficulties when applying updates such as patches or version changes.

EXPERTS THOUGHTS

“According to experts from the ecosystem as well as authorities, they might be related to Nevada ransomware and are using CVE-2021-21974 as compromission vector. Investigations are still ongoing to confirm those assumptions,” OVHcloud CISO Julien Levrard said.

Dr Zakir Hussain, Security Advisor mentioned that At least 120 VMware ESXi servers worldwide have already been compromised in this ransomware campaign, according to a Shodan search. However, from the ransom notes seen in this attack, they do not appear to be related to the Nevada Ransomware and appear to be from a new ransomware family.

DOCUMENTATION

VMware Security Advisory VMSA-2021-0002 dated February 23, 2021
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
CVE reference CVE-2021-21974
https://www.cve.org/CVERecord?id=CVE-2021-21974
[1] Procedure to disable the SLP service
https://kb.vmware.com/s/article/76372

Flash News

Suchana Seth, Mindful AI Lab, AI Startup CEO arrested for allegedly killing her four-year-old son

IPS officer Shahnawaz Qasim appointed as secretary to Telangana CM

The Philadelphia Inquirer got attacked by Cuba Ransomware Gang

Ooredoo tv adds five new channels

Qatar Aiways, Hamad International Airport (HIA) are joined Expo 2023 Doha official partners List

Ethical Hackers arrested after exposing FreeHour security flaw

Vijayalakshmi R appointed as Chief Human Capital Officer (CHRO), TRIANZ.

SNB appoints Saeed Mohammed Al-Ghamdi as new chairman

First Citizens Bank to acquire Silicon Valley Bank

Malaysia added Extra 12 RFID lanes to PLUS toll plazas

CTI Advisory: Campaign Exploiting a Vulnerability Affecting VMware ESXi