A global ransomware attack has hit thousands of servers running the VMware ESxi hypervisor, with more servers expected to be affected, according to national cybersecurity agencies and security experts around the world.
The French Computer Emergency Response Team (CERT-FR) was the first to notice and send an alert about the attack.
“On March<>, CERT-FR became aware of an attack campaign targeting the VMware ESXi hypervisor with the goal of deploying ransomware on it,” CERT-FR wrote.
[Instructions on what you know about these computer viruses: definitions, types, and examples. | Sign up for the CSO newsletter! ]
Other national cybersecurity agencies – including groups in the United States, France and Singapore – also issued alerts about the attack. Servers in France, Germany, Finland, the United States and Canada were reportedly compromised.
0 of 25 minutes and 14 seconds volume 0%
So far, more than 3,200 servers around the world have been compromised, according to cybersecurity firm Censys.
CERT-FR and others reported that the campaign exploited the CVE-2021-21974 vulnerability, for which a patch has been available since March 23, 2021. This vulnerability affects Service Location Protocol (SLP) services and allows an attacker to remotely exploit arbitrary code. CERT-FR stated that the current target system is version 6.x of the ESXi hypervisor, which is earlier than version 7.<>.
“SLP can be disabled on any ESXi server that has not been updated to further reduce the risk of compromise,” CERT-FR wrote in its notice.
An alert issued by cybersecurity provider DarkFeed over the weekend said that in Europe, France and Germany were most affected by the attacks. According to DarkFeed, the majority of servers compromised in France and Germany were hosted by hosting providers OVHcloud and Hetzner respectively.
A ransom note issued to victims of the attack publicly posted by DarkFeed reads in part: “Security Alert! We successfully compromised your company… Send the money within 3 days or we will expose some data and increase the price.
The description cited by DarkFeed states that 2.01584 (approximately $23,000) was sent to a Bitcoin wallet, but apparently the threat actor is using a different wallet to collect the fee. “Interestingly, the Bitcoin wallets are different in each ransom note. The group does not have a website, only a TOX ID,” DarkFeed said.
Global security agencies are providing advice to security teams.
Administrators are recommended to update to the latest ESXi version
“Users and administrators of affected product versions are advised to immediately upgrade to the latest version. As a precautionary measure, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to evaluate whether ransomware activity targeting port 427 can be be disabled without disrupting operations,” the Singapore Computer Emergency Response Team (SingCERT) said in a notice.
Since the attack came to light, security researchers have been analyzing the attack, issuing similar advisories and adding information.
“Upgrade to the latest version of #ESXi and limit access to the #OpenSLP service to trusted IP addresses,” security researcher Matthieu Garin advised in a Twitter post. Garin also provides information that helps in recovering ransom files. “The attacker only encrypts the configuration file, not the vmdk disk where the data is stored. This is definitely very useful!” Galin said.
Meanwhile, U.S. agencies said they were assessing the impact of the reported incidents.
“CISA is working with our public and private sector partners to assess the impact of these reported incidents and provide assistance if needed,” the U.S. Cybersecurity and Infrastructure Security Agency said in a report to the media, according to Reuters express.
Researchers note that ransomware attackers often target developed countries.
“Developed countries are generally targeted by ransomware attacks more frequently because they have more resources and Bitcoin and are more likely to pay ransom demands,” said Rahul Sasi, co-founder and CEO of cybersecurity firm CloudSEK.
“These countries also tend to have a higher density of valuable targets, such as large companies and government agencies, which could be vulnerable to a successful attack. Additionally, developed countries generally have more advanced technological infrastructure, making them promising A more attractive target for cybercriminals who exploit vulnerabilities,” Sasi added.