Tech

VMware warns of ransomware attacks on unpatched ESXi hypervisors


data center

Image: Getty Images / Morsa Image

Virtualization software maker VMware has warned that attackers are using previously disclosed vulnerabilities in virtualization software ESXi and its components to deploy ransomware.

The company believes that the vulnerabilities being exploited are not zero-day bugs, meaning that attackers are exploiting previously discovered bugs in the hypervisor. In other words, the attacks exploit versions of the hypervisor that have not been updated or are no longer supported.

Also: Cloud computing prevails. But security is now the biggest challenge

“We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on related actions customers should take to protect themselves,” VMware’s Security Response Center said on Monday.

“VMware found no evidence that an unknown (0-day) vulnerability is being used to propagate the ransomware used in recent attacks.”

The company notes that most of the reports indicate that the attacks have reached the end of support period or that the products are significantly outdated.

It’s repeating a workaround gift in December for customers to disable SLP Services on VMware ESXi after OpenSLP vulnerabilities affecting ESXi were disclosed.

France’s Computer Emergency Response Team (CERT) last week warning that it was aware of attack campaigns targeting ESXi hypervisors to deploy ransomware on Feb. 3. The SLP service appears to have been targeted and allowed a remote attacker to run code without they choose on the vulnerable server. It also notes that the mining code has been public since at least May 2021.

CERT France strongly recommends that administrators isolate the affected server, reinstall the hypervisor, apply all patches, disable unnecessary services such as SLP, and block access to other services. administration through the firewall.

Specifically, it recommends the following courses of action:

  • Isolate the affected server
  • Conduct systems analysis to detect any signs of compromise
  • Reinstall the hypervisor in a publisher-supported version (ESXi 7.x or ESXi 8.x)
  • Apply all security patches and follow future vendor security advisories
  • Disable unnecessary services on hypervisor
  • Block access to various administrative services, either through a dedicated firewall or through a firewall built into the hypervisor, and deploy a local administration network and remote administration capabilities if needed

BleepingComputer report the attackers behind ESXiArgs . Ransomware use it to encrypt .vmxf, .vmx, .vmdk, .vmsd and .nvra files on compromised ESXi servers.

news7f

News7F: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, Sports...at the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button