New warnings as global ransomware attack continues

The weekend attack on a host of European servers has become a major global incident according to one expert with businesses warned the threats will only increase.

Cyber criminals launched an attack which actively targeted VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware on over 300 systems.

Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.

On Saturday, a Shodan search showed that the spread is extensive and a total of at least 327 organizations are affected, according to Darkfeed, a ransomware monitoring service provider platform.

“The most targeted system is from France on OVH cloud and Hetzner hosting. But they have hit other hosting and cloud companies around the world,” Darkfeed said on Twitter.

OVHcloud added: “A wave of attacks is currently targeting ESXi servers. No OVHcloud managed service are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.”

Andy Norton, European cyber risk officer at Armis said the impact is not only extensive but could be critical to businesses.

“The ongoing VMware ESXi Ransomware attack is a major global incident,” he added. “The potential negative impact for entities who are exposed is high and all VMWare ESXIi users are strongly encouraged to take prompt action.

“The majority of impacted entities are spread across Europe. Speculation still surrounds who the bad actors ultimately are in this case, strong Russian links have been suggested, however the good news is there is an active fix for the vulnerability.”

Norton continued: “After identifying your exposure, impacted firms can either upgrade their version of the VMWare service and/or implement the recommended fix.

“If you are not an Armis customer, you can undertake a standalone visibility assessment & determine your risk exposure to this vulnerability where this makes sense.”

Last month Armis, issued its annual cyberwarfare report which warned of heightened threats to businesses.

It said the Russian invasion of Ukraine has not only tragically upended the lives of countless people in a sovereign nation, but it is also causing geopolitical shockwaves of cyberwarfare that will reverberate for the foreseeable future. Today’s targets extend well beyond the higher levels of the opposition governments; any organization is a potential victim, with critical infrastructure and high-value entities at the top of the list.

“Cyberwarfare is the future of terrorism on steroids, providing a cost-effective and asymmetric method of attack, which requires constant vigilance and expenditure to defend against,” said Nadir Izrael, CTO and co-founder of Armis. “Clandestine cyberwarfare is rapidly becoming a thing of the past. We now see brazen cyberattacks by nation-states, often with the intent to gather intelligence, disrupt operations, or outright destroy data. Based on these trends, all organizations should consider themselves possible targets for cyberwarfare attacks and secure their assets accordingly.”

On Saturday, a Shodan search showed that the spread is extensive and a total of at least 327 organizations are affected, according to Darkfeed, a ransomware monitoring service provider platform.

SHARE: