VMware ESXi hypervisors have become the target of a new wave of attacks aimed at deploying ransomware on compromised systems.
– Advertising –
“These attack campaigns appear to be using CVE-2021-21974, a patch for which has been available since February 23, 2021,” the French Computer Emergency Response Team (CERT) said. said in a notice on Friday.
VMware, in its own warning issued at the time, described the issue as an OpenSLP heap overflow vulnerability that could lead to arbitrary code execution.
“An attacker on the same network segment as ESXi with access to port 427 could cause a dynamic memory overflow issue in the OpenSLP service, leading to remote code execution,” the virtualization service provider said. marked.
French cloud provider OVHcloud said attacks are being detected around the world, especially in Europe. The attacks are believed to be related to a new strain of Rust-based ransomware called Nevada that appeared in December 2022.
Other ransomware families known to have adopted Rust in recent months include BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda.
“Players invite Russian-speaking and English-speaking affiliates to cooperate with a large number of Initial Access Brokers (IAB) in [the] darknet,” the security service said last month.
“It is noteworthy that the group behind the Nevada Ransomware also buys compromised access on their own, the group has a special team for post-exploitation and network intrusions into objects of interest.”
However, Bleeping Computer reports that the ransom notes seen in the attacks have nothing to do with Nevada ransomware, adding that the strain is being tracked as ESXiArgs.
Users are advised to upgrade to the latest version of ESXi to mitigate potential threats and restrict access to the OpenSLP service to trusted IP addresses.