VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware to compromised systems.
“These attack campaigns appear to exploit CVE-2021-21974, for which a patch is available as of February 23, 2021,” France’s Computer Emergency Response Team (CERT) said in an advisory on Friday.
VMware, in its own alert posted at the time, described the issue as an OpenSLP stack overflow vulnerability that could lead to arbitrary code execution.
“A malicious actor residing on the same network segment as ESXi and having access to port 427 can trigger the heap overflow issue in the OpenSLP service, resulting in remote code execution,” the service provider noted. of virtualization.
French cloud service provider OVHcloud said the attacks are being detected globally with a specific focus on Europe. The intrusions are suspected to be related to a new Rust-based ransomware strain called Nevada that appeared on the scene in December 2022.
Other ransomware families known to have adopted Rust in recent months include BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda.
“The actors are inviting Russian and English-speaking affiliates to collaborate with a large number of Initial Access Agents (IABs) in [the] dark web,” Resecurity said last month.
“Notably, the group behind the Nevada ransomware is also buying compromised access itself, the group has a dedicated team for subsequent exploitation and for performing network intrusions on the targets of interest.”
However, Bleeping Computer reports that the ransom notes seen in the attacks bear no similarities to the Nevada ransomware, adding that the strain is tracked under the name ESXiArgs.
Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats and restrict access to the OpenSLP service to trusted IP addresses.
Update:
OVHcloud, over the weekend, confirmed that ransomware attacks exploited a vulnerability in OpenSLP as an initial compromise vector. However, the company said that it cannot confirm whether it involved the abuse of CVE-2021-21974 at this stage. It also backed down from initial findings suggesting a plausible link to the Nevada ransomware.
