Ransomware Operators Target VMware ESXi Servers

The French Computer Emergency Response Team (CERT-FR) released an advisory regarding an active campaign targeting VMware ESXi hypervisors and deploying ransomware on compromised devices. Here’s what you need to know.

Tell me more about VMware ESXi hypervisors.

VMware ESXi is a hypervisor developed to deploy and manage virtual computers. Instead of a software application that is installed on an operating system, VMware ESXi leverages its own kernel (the essential foundation/core of a computer’s operating system that acts as an interface between user applications and hardware).

What is the situation?

The VMware ESXi vulnerability is tracked as CVE-2021-21974. This vulnerability is scored as an 8.8 out of 10 (HIGH) on the CVSS 3.0 scoring system and is described as a heap-overflow vulnerability.

A heap-overflow vulnerability happens when more data that can fit in the allocated buffer is read in. This can result in data corruption or unexpected behavior by any process that access the affected memory area.

CVE-2021-21974 affects the following versions of ESXi:

• ESXi versions 7.x prior to ESXi70U1c-17325551
• ESXi versions 6.7.x prior to ESXi670-202102401-SG
• ESXi versions 6.5.x prior to ESXi650-202102101-SG

Fortunately, patches have been available for this vulnerability since February 2021. VMware’s initial security advisory, which includes patching information, can be found here. As a workaround, organizations can also disable the Service Location Protocol (SLP) on devices until patches can be applied.

What is Nuspire doing?

Nuspire is not affected by this vulnerability.

What should I do?

While threat actors like to pounce on newly announced vulnerabilities, they still pivot back to previous vulnerabilities in their campaigns. Organizations must be mindful of their technology stacks and ensure they’ve implemented a vulnerability management program that prioritizes critical assets.

If organizations are using VMware ESXi and have not applied the latest patches, they should – in accordance with VMware’s documentation – do so as soon as possible, as this vulnerability is being actively targeted.

Administrators and security teams must understand their technology stack and monitor for vulnerabilities and prioritize patching. Especially for internet-facing and critical assets.