In the announcement from 3rd February, the French CERT warned against a campaign exploiting the CVE-2021-21974 vulnerability for:
- ESXi version 7.x prior to ESXi70U1c-17325551
- ESXi version 6.7.x prior to ESXi670-202102401-SG
- ESXi version 6.5.x prior to ESXi650-202102101-SG.
The vulnerability received a score value (CVSSv3) of 8.8 – High.
This allows remote code execution when:
- the attacker is on the same network segment as the ESXi server
- the attacker has access to port 427 (OpenSLP service)
The vendor recommends disabling the SLP service on non-updated ESXi hypervisors, installing the security patch as soon as possible, and scanning systems for signs of security breaches.
According to Shodan.io, more than a half of the publicly available encrypted ESXi hypervisors were owned by OVH (as of 4th February).
OVHCloud has published a report in which it indicates that vulnerability CVE-2021-21974 is being exploited in ransomware operations.
The malware encrypts VM files with a public key created in /tmp/public.pem.
Extensions searched in the system: “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, “*.vmem”.
In order to unlock VM files, the malware tries to disable specific VMs, which regularly does not work as planned by the developers.
Source:
—
Does your business need cyber security solutions? Contact us!
