Hypervisor maker VMware has warned that attackers are using previously disclosed vulnerabilities in its ESXi hypervisor and components to deploy ransomware.
The company believes the vulnerabilities being exploited are not zero-day flaws, meaning the attackers are exploiting previously discovered bugs in the hypervisor. In other words, the attacks exploit instances of the hypervisor that have not been updated or are no longer supported.
Also: Cloud computing dominates. But security is now the biggest challenge
“We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves,” VMware’s security response center said on Monday.
“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.”
The company notes that most reports state attacked instances have reached end of support or are significantly out-of-date products.
It’s reiterating a workaround it gave in December for customers to disable the SLP Service on VMware ESXi after OpenSLP vulnerabilities affecting ESXi were disclosed.
France’s computer emergency response team (CERT) last week warned that it became aware of attack campaigns targeting ESXi hypervisors to deploy ransomware on February 3. The SLP service appeared to have been targeted and allows a remote attacker to run code of their choice on the vulnerable server. It also notes that exploit code has been publicly available since at least May 2021.
CERT France strongly recommends admins isolate an affected server, reinstall the hypervisor, apply all patches, disable unnecessary services like SLP, and block access to admin services through a firewall.
Specifically, it recommends the following courses of action:
- Isolate the affected server
- Carry out an analysis of the systems in order to detect any sign of compromise
- Reinstall the hypervisor in a version supported by the publisher (ESXi 7.x or ESXi 8.x)
- Apply all security patches and follow future vendor security advisories
- Disable unnecessary services on the hypervisor
- Block access to the various administration services, either through a dedicated firewall or through the firewall integrated into the hypervisor, and implement a local administration network as well as a remote administration capability if it is required
BleepingComputer reports that attackers behind ESXiArgs ransomware use it to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra files on compromised ESXi servers.