Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide; more than 500 systems affected already

Sergiu Gatlan reports:

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.

Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.

“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said.

Read more at BleepingComputer.

Valéry Rieß-Marchive also reports on developments. A  machine translation of his update:

[updated, February 4, 2023 at 12:10 p.m.]  The specialized search engine Onyphe now lists more than 500 affected VMware ESXi systems around the world. For now, the ransomware involved is called ESXiArgs, say our colleagues from Bleeping Computer , because the extension of the encrypted files is changed to “.args”. Light, about 49 Kb, the executable responsible for encryption is launched by a shell script. 

Overnight, Enes Sonmez of YoreGroup’s technical team produced a step-by-step which, according to consistent sources, works and allows recovering encrypted files without having to go through the restoration of backups. What potentially help to accelerate the restart of the affected services.

Read his full report at LeMagIT.


About the author: Dissent

Comments are closed.