The surveillance service of the Italian National Cybersecurity Agency has also recently reiterated this. In fact, the CSIRT has warned about the possible consequences of a Hacker Ransomware attack. The news came from administrators, hosting providers and the French computer emergency response team (CERT-FR). All warn that attackers are actively targeting unpatched VMware ESXi servers. However, the vulnerability is a two-year-old remote code execution to distribute a new ESXiArgs ransomware.
Ransomware Hacker Attack
As stated in the bulletin released by the CSIRT: the estimated impact of the vulnerability on the reference community is high/orange. The organ describes having “detected the massive active exploitation on the network of the CVE-2021–21974 vulnerability – already remedied in February 2021 – present in VMware ESXi products.”
The security flaw is caused by a heap overflow issue in the OpenSLP service which can be exploited by unauthenticated threat actors. This vulnerability could allow the execution of arbitrary commands (RCE) on target devices, in attacks of low complexity.
The VMware virtualization system is among the most used ever from a business point of view and is the basis of many infrastructures. So hitting that part of an organization means putting a good part of the server systems at risk. With serious damage also for the public administration, banking systems and other related services such as hospitals and local health authorities.
The Hacker Ransomware attack has therefore knocked out many sites and servers based on VMWare ESXi technology. This type of threat assumes that the attacker makes some system files inaccessible by encryption. And this is exactly what happened to many Italian companies as well as in the world, where the hackers then demanded a ransom in cash. Although the flaw has already been fixed with a patch, it is the services mentioned above that are of greater concern.
ESXiArgs Ransomware details and fixes
The cyberthreat is named ESXiArgs, also due to the extension of the encrypted files (.args). Worst of all, however, is that it could be more dangerous than anyone expected. In fact, in addition to allowing external users to execute malicious code and steal data, it also causes other damage. Such as, for example, the concrete danger that the attacker will take total possession of the affected system.
Once the server has been hacked, the ransomware stores a number of files in the /temp folder. The executable of the crypting program, a shell for preliminary executions, the RSA key and the ransom note in two formats. All in that dedicated directory.
Despite all this, it is possible to defend against such an attack. Indeed, malware it seems encrypt small files and essentially and experts say you can restore your files even without decryption key. In any case, as a preventive measure, we always recommend updating with the patch, which is already present. In fact, for many industry experts, the threat could have been avoided and limited since it is based on an old vulnerability.
