[Updated] Massive Ransomware Campaign Targeting Unpatched VMware ESXi Servers

Update on 9 Feb 2023:

CISA has released a recovery script for organisations that have been affected by the vulnerability. Please refer to the recovery script here.

Original alert published on 4 Feb 2023:

There are reports of an ongoing ransomware campaign actively exploiting a vulnerability (CVE-2021-21974) in unpatched VMware ESXi servers.

Successful exploitation of the vulnerability could allow an attacker to perform remote code execution by triggering the heap-overflow issue in OpenSLP service.

The following versions of the products are affected by the aforementioned vulnerability:

•             ESXi versions 7.x earlier than ESXi70U1c-17325551

•             ESXi versions 6.7.x earlier than ESXi670-202102401-SG

•             ESXi versions 6.5.x earlier than ESXi650-202102101-SG

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. As a precaution, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations.

Users and administrators may also wish to configure their firewall rules to block any connections to the following IP addresses purportedly carrying out the attacks:

•             104.152.52[.]55

•             193.163.125[.]138

•             43.130.10[.]173

•             104.152.52[.]0/24

More information is available here:

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/

https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2021-009

https://cisa.gov/uscert/ncas/alerts/aa23-039a