Inscrivez-vous maintenant pour un meilleur devis personnalisé!

VMware warns of ransomware attacks on unpatched ESXi hypervisors

07 fév. 2023 Hi-network.com
Image: Getty Images/Morsa Images

Hypervisor maker VMware has warned that attackers are using previously disclosed vulnerabilities in its ESXi hypervisor and components to deploy ransomware. 

The company believes the vulnerabilities being exploited are not zero-day flaws, meaning the attackers are exploiting previously discovered bugs in the hypervisor. In other words, the attacks exploit instances of the hypervisor that have not been updated or are no longer supported. 

Also: Cloud computing dominates. But security is now the biggest challenge

"We wanted to address the recently reported 'ESXiArgs' ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves," VMware's security response center said on Monday.

"VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks." 

Security

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

The company notes that most reports state attacked instances have reached end of support or are significantly out-of-date products. 

It's reiterating a workaround it gave in December for customers to disable the SLP Service on VMware ESXi after OpenSLP vulnerabilities affecting ESXi were disclosed.    

France's computer emergency response team (CERT) last week warned that it became aware of attack campaigns targeting ESXi hypervisors to deploy ransomware on February 3. The SLP service appeared to have been targeted and allows a remote attacker to run code of their choice on the vulnerable server. It also notes that exploit code has been publicly available since at least May 2021. 

CERT France strongly recommends admins isolate an affected server, reinstall the hypervisor, apply all patches, disable unnecessary services like SLP, and block access to admin services through a firewall. 

Specifically, it recommends the following courses of action: 

  • Isolate the affected server
  • Carry out an analysis of the systems in order to detect any sign of compromise 
  • Reinstall the hypervisor in a version supported by the publisher (ESXi 7.x or ESXi 8.x)
  • Apply all security patches and follow future vendor security advisories
  • Disable unnecessary services on the hypervisor
  • Block access to the various administration services, either through a dedicated firewall or through the firewall integrated into the hypervisor, and implement a local administration network as well as a remote administration capability if it is required 

BleepingComputer reports that attackers behind ESXiArgs ransomware use it to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra files on compromised ESXi servers. 

Cloud

?What is digital transformation? Everything you need to knowThe best cloud providers compared: AWS, Azure, Google Cloud, and moreThe top 6 cheap web hosting services: Find an affordable optionWhat is cloud computing? Here's everything you need to know
  • ?What is digital transformation? Everything you need to know
  • The best cloud providers compared: AWS, Azure, Google Cloud, and more
  • The top 6 cheap web hosting services: Find an affordable option
  • What is cloud computing? Here's everything you need to know

tag-icon Tags chauds: technologie La sécurité

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.