Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations worldwide.
Reports emerged over the weekend that VMware ESXi servers left vulnerable and unpatched against a remotely exploitable bug from 2021 were compromised and scrambled by a ransomware variant dubbed “ESXiArgs.” ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server.
France’s computer emergency response team CERT-FR reports that the cybercriminals have been targeting VMware ESXi servers since February 3, while Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.
U.S. cybersecurity officials have also confirmed they are investigating the ESXiArgs campaign. “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a CISA spokesperson told TechCrunch. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”
Italian cybersecurity officials warned that the ESXi flaw could be exploited by unauthenticated threat actors in low-complexity attacks, which don’t rely on using employee passwords or secrets, according to the Italian ANSA news agency. The ransomware campaign is already causing “significant” damage due to the number of unpatched machines, local press reported.
More than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign so far, according to a Censys search (via Bleeping Computer). France is the most affected country, followed by the U.S., Germany, Canada and the United Kingdom.
It’s not clear who is behind the ransomware campaign. French cloud computing provider OVHCloud backtracked on its initial findings suggesting a link to the Nevada ransomware variant.
A copy of the alleged ransom note, shared by threat intelligence provider DarkFeed, shows that the hackers behind the attack have adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address.
In a statement given to TechCrunch, VMware spokesperson Doreen Ruyak said the company was aware of reports that a ransomware variant dubbed ESXiArgs “appears to be leveraging the vulnerability identified as CVE-2021-21974” and said that patches for the vulnerability “were made available to customers two years ago in VMware’s security advisory of February 23, 2021.”
“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory,” the spokesperson added.
https://techcrunch.com/
Small and medium businesses have become a growing target for malicious online hackers in recent years, currently accounting for between 43% and 61% of all security breaches and some $7 billion annually in related losses, according to different estimates. Today, a startup called Guardz is emerging from stealth with a two-part offering aimed at protecting them: a SaaS-based set of low-code […]
In a financial filing on Thursday, T-Mobile revealed that a hacker accessed a trove of personal data belonging to 37 million customers. The telecom giant said that the “bad actor” started stealing the data, which includes “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of […]
U.S. nonprofit healthcare giant Maternal & Family Health Services has confirmed hackers accessed sensitive patient, financial and medical information months earlier. In an advisory published on its website on Thursday, MFHS said a “sophisticated ransomware incident” exposed the sensitive information of current and former patients, employees and vendors. This information included names, addresses, dates of birth, Social Security numbers, […]
Leave a Reply