Hackers Exploit VMware ESXi Flaw, Deploy LockBit Ransomware
Hackers are exploiting a security flaw in unpatched VMware ESXi servers to deploy malware and encrypt the servers. The ESXiArgs malware, linked to the Nevada ransomware family, has targeted over 3,000 servers worldwide, with many exposed servers located in France, the US, and Germany.
The LockBit ransomware group, specifically LockBit 5.0, is suspected to be behind these attacks. They exploit two vulnerabilities: CVE-2021-21974 and CVE-2020-3992, which deal with an SXi OpenSLP heap-overflow vulnerability and an ESXi OpenSLP remote code execution vulnerability, respectively. Affected ESXi hypervisors are versions 6.5, 6.7, and 7.0. Cybersecurity specialists Wiz report that 12% of ESXi servers worldwide are currently unpatched and vulnerable.
The malware enables remote code execution and encrypts specific files on the servers, including .vmxf, .vmx, .vmdk, .vmsd, and .nvra. While the attacks are not sophisticated, some entities have successfully recovered their virtual machines without restoring from a backup. VMWare recommends patching the systems or disabling the affected SLP service in ESXi to protect against the malware.
Securing virtual infrastructure is vital to prevent such attacks. With 12% of ESXi servers worldwide currently unpatched and vulnerable, updating critical software infrastructure systems is crucial. By addressing these vulnerabilities and maintaining robust security measures, organizations can protect their virtual environments from potential threats.
Read also:
- Planned construction of enclosures within Görlitzer Park faces delays
- Controversy resurfaces following the elimination of diesel filter systems at Neckartor: A renewed conflict over the diesel restriction policy
- Foreign financial aid for German citizens residing abroad persists
- Following the fatal accident on Canal Street in Chinatown, New York City initiates long- desired safety enhancements.
