Tue | Feb 7, 2023 | 3:38 PM PST

VMware has recently issued a warning to its customers to install the latest security updates and disable the OpenSLP service on their ESXi servers. This warning comes after a large-scale campaign of ransomware attacks targeted internet-exposed and vulnerable ESXi servers.

According to VMware, the attackers are not exploiting a Zero-Day vulnerability, and this service is disabled by default in ESXi software releases that were issued after 2021. The attackers are targeting products that are "significantly out-of-date" or have already reached their End of General Support (EOGS).

The recent ransomware attacks on VMware ESXi servers have been dubbed "ESXiArgs." This malware has been used to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra files on compromised ESXi servers, and deploy ransom notes named "ransom.html" and "How to Restore Your Files.html." Data from Censys shows that over 2,400 servers have already been impacted by these attacks.

Security researchers have analyzed a copy of the ESXiArgs encryptor and found that it is a secure encryptor with no cryptography bugs that would allow decryption. However, security researcher Enes Sonmez has shared a guide that may allow VMware admins who have been affected by these attacks to rebuild their virtual machines and recover their data for free.

VMware has advised its customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. The company has also recommended disabling the OpenSLP service in ESXi.

Data from GreyNoise shows that 19 unique IP addresses have been attempting to exploit the ESXi vulnerability since February 4, 2023, with 18 of the 19 IP addresses being classified as benign.

Rapid7 researcher Caitlin Condon, who spoke with The Hacker News, has advised ESXi customers to ensure their data is backed up and to update their ESXi installations to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur. Condon also recommended that ESXi instances should not be exposed to the internet, if possible.

See the statement from VMware, VMware Security Response Center (vSRC) Response to ‘ESXiArgs’ Ransomware Attacks, for more information.

Subscribe to SecureWorld News for more stories related to cybersecurity.

Comments