The VMware ESXi hypervisor is the target of a new attack designed to deploy ransomware on compromised systems.
“These attack campaigns appear to be exploiting CVE-2021-21974 for which a patch has become available since February 23, 2021,” the French computer emergency response team (CERT) advised Friday. said in
In its own alert released at the time, VMware described the issue as an OpenSLP heap overflow vulnerability that could lead to arbitrary code execution.
“A malicious actor residing within the same network segment as ESXi with access to port 427 could cause a heap overflow issue in the OpenSLP service, leading to remote code execution,” the virtualization service provider said. says.
According to French cloud service provider OVHcloud, attacks have been detected worldwide, especially in Europe. The attack is suspected to be related to a new Rust-based ransomware strain called Nevada that emerged in December 2022.
Other ransomware families known to have adopted Rust in recent months include BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda.
“The attackers are asking both Russian- and English-speaking affiliates to work with a number of Initial Access Brokers (IABs). [the] dark web,” Resecurity said last month.
“In particular, the group behind the Nevada Ransomware purchased the compromised access for themselves, and this group has a dedicated post-exploitation team to perform network intrusions on targeted targets. ”
However, Bleeping Computer reports that the ransom note seen in the attack bears no resemblance to the Nevada ransomware, adding that the strain is tracked under the name ESXiArgs.
We recommend upgrading to the latest version of ESXi to mitigate potential threats and restrict access to OpenSLP services to trusted IP addresses.
