According to the BSI - Federal Office for Information Security, thousands of servers running VMware's ESXi virtualization solution were infected with ransomware and many were also encrypted in a widespread global attack.
The regional focus of the attacks on the VMware ESXi servers was on France, the USA, Germany and Canada - other countries are also affected. The perpetrators took advantage of a long-known vulnerability in the application's OpenSLP service, which triggered a "heap overflow" and ultimately allowed code to be executed remotely. There is now a tool to restore servers encrypted with ESXiArgs ransomware depending on the constellation of VMware version and patches: the ESXiArgs-Recover-Tool.
2 year old 8.8 high vulnerability
The vulnerability itself - which is listed as CVE-2021-21974 and rated "high" according to CVSS with a severity level of 8.8 - there has been a patch from the manufacturer since February 2021. The BSI had already pointed out the critical vulnerability at the time. According to the BSI, concrete statements on the impact and the extent of possible damage are not yet possible. The BSI is analyzing this IT security incident intensively and is in contact with its international partners.
Italian companies in particular were hit hard by the attack at the weekend. According to various media, Telekom Italia TIM should also be affected by the attack. In some cases, internet performance across the country would have collapsed for a short time. But other countries and many companies continue to have problems. As early as 2021 there were exploits looking for the gap in ESXi servers and running malware.
Already more than 1.900 infected ESXi servers
The update comes too late for many administrators, as their VMware ESXi servers are already encrypted by ransomware. Companies that still have this vulnerability and have not yet been discovered should patch the servers immediately. According to Check Point, more than 1.900 ESXi servers have already been infected, with most of the victims reportedly coming from OVH and Hetzner Service Providers. Also CERT, the French cybersecurity authority, has already issued a warning to all companies and server operators. The security instructions for patching the vulnerability and the description of the vulnerable systems are available from VMwareLearn more about the server update at VMware.com