VMware warns of ransomware attacks on unpatched ESXi hypervisors
Technology

VMware warns of ransomware attacks on unpatched ESXi hypervisors

By Naomi Gleit

Image: Getty Images/Morsa Images

Hypervisor maker VMware has warned that attackers are using previously disclosed vulnerabilities in its ESXi hypervisor and components to deploy ransomware. 

The company believes the vulnerabilities being exploited are not zero-day flaws, meaning the attackers are exploiting previously discovered bugs in the hypervisor. In other words, the attacks exploit instances of the hypervisor that have not been updated or are no longer supported. 

Also: Cloud computing dominates. But security is now the biggest challenge

“We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves,” VMware’s security response center said on Monday.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.” 

The company notes that most reports state attacked instances have reached end of support or are significantly out-of-date products. 

It’s reiterating a workaround it gave in December for customers to disable the SLP Service on VMware ESXi after OpenSLP vulnerabilities affecting ESXi were disclosed.    

France’s computer emergency response team (CERT) last week warned that it became aware of attack campaigns targeting ESXi hypervisors to deploy ransomware on February 3. The SLP service appeared to have been targeted and allows a remote attacker to run code of their choice on the vulnerable server. It also notes that exploit code has been publicly available since at least May 2021. 

CERT France strongly recommends admins isolate an affected server, reinstall the hypervisor, apply all patches, disable unnecessary services like SLP, and block access to admin services through a firewall. 

Specifically, it recommends the following courses of action: 

  • Isolate the affected server
  • Carry out an analysis of the systems in order to detect any sign of compromise 
  • Reinstall the hypervisor in a version supported by the publisher (ESXi 7.x or ESXi 8.x)
  • Apply all security patches and follow future vendor security advisories
  • Disable unnecessary services on the hypervisor
  • Block access to the various administration services, either through a dedicated firewall or through the firewall integrated into the hypervisor, and implement a local administration network as well as a remote administration capability if it is required 

BleepingComputer reports that attackers behind ESXiArgs ransomware use it to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra files on compromised ESXi servers. 

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.

Naomi Gleit 44838 posts 0 comments
More Stories

Samsung Galaxy A55 vs Vivo V30 Pro: How the two affordable…

5 Different Resources to Help Kids Learn to Code

Apple Vision Pro reviews roundup: A good start

1 of 69,743