This article is more than 1 year old

Ransomware scum launch wave of attacks on critical, but old, VMWare ESXi vuln

You’ve had almost two years to patch and some of the software is EOL, now attackers déployer un rançongiciel

France's Computer Emergency Response Team has issued a Bulletin D'Alerte regarding a campaign to infect VMware’s ESXI hypervisor with ransomware.

We get a little language lesson with this one: France's CERT describes this as an attempt to "déployer un rançongiciel," while Italy's Agenzia per la Cybersicurezza Nazionale – which has also warned of the campaign – warns that a "rilascio di ransomware" is under way.

Neither nation's infosec authorities offer any information about the source of the attack, but both note that it goes after CVE-2021-21974 – a 9.1/10 rated bug disclosed and patched almost two years ago in February 2021.

CVE-2021-21974 affects ESXi 7.0, 6.7 and 6.5. The latter two versions exited support in October 2022.

We're sure those of you running unsupported and unpatched code have good reasons to do so. You now have very good reason to change your behavior tout de suite, because ransomware-slingers don't launch campaigns unless they see some rich targets. And targets don't come much richer than ESXi – the bare metal hypervisor can afford access to many guest machines that run apps and store data.

Thankfully, the ransomware deployed in this attack is a bit crap. France-based cloud OVH has observed the campaign and believes the encryption sometimes fails and that data is not exfiltrated. Decryption tools are also already available.

The org has also observed the following indicators of compromise:

  • The compromission vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dc-ui as involved in the compromission process.
  • Encryption is using a public key deployed by the malware in /tmp/public.pem
  • The encryption process is specifically targeting virtual machines files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, *.vmem)
  • The malware tries to shutdown virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected, resulting in files remaining locked.
  • The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size).

The above should help users to determine if they've been targeted by this campaign, and potentially infected by ransomware.

VMware, meanwhile, warned on February 2 of an Arbitrary file deletion vulnerability in version 17.x of its Workstation desktop hypervisor. CVE-2023-20854 is rated 7.8/10 as "a malicious actor with local user privileges on the victim's machine may exploit this vulnerability to delete arbitrary files from the file system of the machine on which Workstation is installed."

Upgrading to version 17.0.1 knocks it on the head. ®

More about


Send us news

Other stories you might like