Legacy VMware Bug Exploited in Global Ransomware Campaign

VMware customers are being urged to patch a vulnerability on their ESXi hypervisors first disclosed in 2021, in order to mitigate the impact of an ongoing ransomware campaign.

Government cybersecurity experts in France, Singapore and elsewhere have sounded the alarm after reports emerged of servers being compromised in Italy, France, Finland, the US and Canada.

Reuters reported dozens of servers in Italy as compromised, but the true scale of the global threat is still unknown. A Shodan search from dark web intelligence vendor DarkFeed revealed over 300 victims, although even this is likely to be the tip of the iceberg.

Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) appear to be aware of the campaign but had not released any official statement at the time of writing.

The vulnerability in question, CVE-2021-21974, enables attackers to perform remote code execution by triggering a heap-overflow issue in OpenSLP.

It impacts the following ESXi versions:

  • ESXi versions 7.x earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

“Users and administrators of affected product versions are advised to upgrade to the latest versions immediately,” urged the Singapore Computer Emergency Response Team (SingCERT).

“As a precaution, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations.”

The CERT also published the IP addresses associated with the ransomware actors, so that administrators can update firewall rules to block them.

The SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise, the French CERT (CERT-FR) added.

The identity of the group behind the campaign is currently unknown, although DarkFeed said each Bictoin wallet provided to victims for payment is different. There’s no leak site linked to the group, only a Tox messaging app ID to contact.

Editorial credit icon image: Pavel Kapysh /

Articles You May Like

Pull Systems launches out of Up.Labs-Porsche partnership to tackle EV performance
NCSC Launches Two New Tools for Small Businesses
CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems
THN Webinar: 3 Research-Backed Ways to Secure Your Identity Perimeter
When the tech IPO market reopens, keep an eye on HR unicorns

Leave a Reply

Your email address will not be published. Required fields are marked *