[New post] Large (hundreds) CVE-2021-21974 ESXi VMware based ESXiArgs (Nevada?) ransomware attacks

jpluimers posted: "[Wayback/Archive] Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a t" The Wiert Corner - irregular stream of stuff Large (hundreds) CVE-2021-21974 ESXi VMware based ESXiArgs (Nevada?) ransomware attacks jpluimers Feb 4 [Wayback/Archive] Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. "As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," CERT-FR said. "The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7." To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't yet been updated. CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise. CVE-2021-21974 affects the following systems: ESXi versions 7.x prior to ESXi70U1c-17325551 ESXi versions 6.7.x prior to ESXi670-202102401-SG ESXi versions 6.5.x prior to ESXi650-202102101-SG [Wayback/Archive] Esxi Ransomware Help and Support Topic (ESXiArgs / .args extension) - Page 2 - Ransomware Help & Tech Support (there are now 4 pages, most victims OVH, likely many more pages to follow) [Wayback/Archive] How to Disable/Enable the SLP Service on VMware ESXi (76372) [Wayback/Archive] html:"We hacked your company successfully" title:"How to Restore Your Files" - Shodan Search which resulted in the above image (I tweeted it at [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: "@vmiss33") Commands used in [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: "@vmiss33 I did forget to disable SLP on a patched system, but doing that is easy as per kb.vmware.com/s/article/76372": /etc/init.d/slpd status /etc/init.d/slpd stop esxcli system slp stats get esxcli network firewall ruleset set -r CIMSLP -e 0 chkconfig slpd off chkconfig --list | grep slpd More links to follow, but I'm away from keyboard for most of the day. --jeroen Read more of this post "Large (hundreds) CVE-2021-21974 ESXi VMware based ESXiArgs (Nevada?) ransomware attacks" Comment Like You can also reply to this email to leave a comment. Unsubscribe to no longer receive posts from The Wiert Corner - irregular stream of stuff. Change your email settings at manage subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://wiert.me/2023/02/04/large-hundreds-cve-2021-21974-esxi-vmware-based-esxiargs-nevada-ransomware-attacks/ Powered by WordPress.com