Massive exploitation of a Vmware ESXi vulnerability to distribute ransomware

A massive ransomware attack is underway. This attack exploits an old RCE vulnerability existing on some VMWare ESXi versions.

An RCE vulnerability allows a malicious person to execute arbitrary code remotely on a machine, without needing to know the password of the machine.

The present vulnerability with the CVE number CVE-2021-21974, has a HIGH severity level, with a score of 8.8. It is currently exploited to introduce ransomware on the attacked computers.

Old vulnerability

The CVE-2021-21974 vulnerability is not new. In fact, a patch has been available since February 23, 2021. Its current massive exploitation means that several organizations have not taken steps to fix the vulnerability.

Port targeted

The attack targets the OpenSLP port (427).

Vulnerable ESXi versions

The following ESXi versions are vulnerable:

ESXi versions 7.x prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670-202102401-SG
ESXi versions 6.5.x prior to ESXi650-202102101-SG

How to know if you are vulnerable

You need to perform a vulnerability scanning of your VMWare environment (if you are using any). If you need help, contact us at 877-208-9040 or talk to one of our experts.

CISA releases script to rebuild impacted VMs
February 7, 2023 in the evening: CISA has made available a script that could allow to rebuild the metadata of impacted VMs from virtual disks that have not been encrypted by the ransomware. Note that the script is not a ransomware decryptor.

With a bit of luck, some victims could recover some impacted VMs.

You can download the script here.

Considerations on vulnerabilities with a score of 8.8

HIGH vulnerability score means that:

The vulnerability can be exploited remotely.
No authentication is required to exploit the vulnerability.
The attacker does not need to know the password of the attacked server

the vulnerability can be easily exploited.
the impacts can be major

It is therefore urgent to correct this vulnerability.

How to check if you have been targeted by this massive attack

Check your firewall for incoming communications on port OpenSLP (427)

Mitigation

The patch for the vulnerability can be found here.
As an additional measure, you can also block external communications coming in on port 427.

How can Streamscan help you?

Cyberattacks are exploding all the time. Without continuous security monitoring, you are completely blind to the attacks that are targeting you. You can't defend against what you can't see.

Let us put our eyes on your network. Join our MDRmanaged monitoring platform powered by our CDS cyber threat detection technology and keep yourself safe from cyberattacks.