Critical vulnerability in VMware ESXi: Global wave of attacks presumably also shut down hundreds of German companies
by Tina Siering
A critical security vulnerability in the virtualization solution "ESXi" of the manufacturer VMware is currently being actively exploited by cyber criminals to attack so-called ESXi servers worldwide. According to media reports, hundreds of companies and institutions in Germany alone appear to be affected by the wave of attacks.
The perpetrators are exploiting a vulnerability in the application's OpenSLP service, which has been known for some time and has been patched by the manufacturer since February 2021, to execute malicious code and infiltrate a ransomware called "Nevada", which can be used to encrypt the virtual hard disks of guest systems.
The attacks are targeted against unpatched systems with versions 6.5.x, 6.7.x, 7.x. The security vulnerability CVE-2021-21974 is rated "high" according to CVSS with a severity level of 8.8. The BSI has declared the second-highest warning level (warning level 3/orange) due to a business-critical threat situation.
Recommendation for action:
We recommend that IT security managers immediately install the security update provided by the manufacturer in order to permanently close the vulnerability.
As a workaround, according to the manufacturer, it should also be possible to block attacks by disabling the SLP protocol on unpatched hypervisor systems. VMware has published instructions for this on the company website.
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.