A global ransomware campaign hit thousands of organizations using specific versions of VMware ESXi starting Friday, according to cyber authorities and experts.
Investigations are underway into the initial access vector, but researchers and agencies in multiple countries have linked the campaign to a known VMware vulnerability that was first discovered and patched almost two years ago. The attacks span multiple countries in Europe, Canada and the U.S.
Nearly 2,000 servers were compromised within 24 hours and at least 2,250 machines have been compromised so far, according to Patrice Auffret, founder, CTO and CEO of the France-based cybersecurity firm Onyphe.
Critical vulnerabilities in VMware products are a recurring problem, and ESXi, hypervisor software for server virtualization, is a common target for ransomware operators.
“A ransomware variant dubbed ESXiArgs appears to be targeting end of general support or significantly out of date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories,” a VMware spokesperson said via email.
Threat actors can exploit the known heap-overflow vulnerability in VMware’s OpenSLP service, CVE-2021-21974, to gain access and initiate attacks with relatively little complexity.
“VMware has not found any evidence that would suggest an unknown or zero-day vulnerability is being used to propagate the ransomware in the ESXiArgs attacks,” VMware said in a blog post.
About 66,000 machines are potentially exposed by this spree of attacks, but it’s unknown what percentage of those devices are patched, according to Auffret.
“Attacks against vulnerabilities this old are likely to burn through potential victims quite quickly,” Chester Wisniewski, field CTO of applied research at Sophos, said via email.
Threat actors could tweak the code or identify further opportunities to improve the attack vector to impact more versions that are unpatched. Such a move “would result in another large burst of victims potentially,” Wisniewski said.
Sophos hasn’t verified who is behind the attacks, but it observed evidence suggesting multiple attackers might be involved.
The individual or group behind the attacks is demanding about two bitcoins from each victim, Auffret said via email.
“From my perspective, it is not a signature of a big ransomware group. They would have targeted more carefully,” and a customized ransom demand would be the signature of a bigger group, Auffret said.
Ransomwhere, the open-source ransomware payment tracker, compiled a list of more than 1,700 ransomware payment addresses used in the spree of attacks and has tracked two payments valued at $58,000 to date.
The Cybersecurity and Infrastructure Security Agency is working with public and private sector partners to assess the impacts of these reported incidents and provide assistance, a spokesperson said via email.
Authorities in Germany, France, Italy and Canada are also responding and investigating the attacks.