Sunday 5 February 2023, while in Italy citizens complain of an important disservice to the Tim national fixed network, a press release arrives from the National Cybersecurity Agency (ACN) with the alarming title “A massive ransomware attack was recorded through infection of VMware systems.” A few minutes and IT managers of companies hang on the phone to ask for information on what is happening and if they are really in danger.
A premise is necessary: the two events are not connected in any way, it is better to clarify why so many are asking for it at a time when chaos reigns.
The press release takes up a previous alert issued by the French CERT, the body responsible for the cybernetic defense of the country, which warned of ongoing ransomware attacks against French systems initially, but still widespread in Europe and worldwide. The peculiarity of these attacks is the exploitation of a vulnerability, identified as CVE-2021-21974, present in VMWare ESXi virtualization systems.
This flaw was fixed by the manufacturer as early as 2021; the company has also provided guidance on how to mitigate the risk of attacks through a workaround procedure for those who for some reason are unable to promptly apply an update.
Another necessary premise is that these systems are extremely popular in every sector, however they should not be exposed online. We therefore have two fundamental aspects of this campaign: systems which have not been updated for at least two years and which have not applied any Workaround procedure are affected, and above all which should not be exposed on the Internet.
The National Cybersecurity Agency correctly issued an alert after also contacting several Italian organizations that exposed vulnerable systems on the internet.
Hacker attack on Acea. The company victim of a ransomware of a Russian-speaking group
by Archangel Rociola
However, the title of the release and a passage from it have attracted criticism from many experts. The offending passage is the following, which speaks of a massive attack: “The Computer Security Incident Response Team Italy (Csirt-IT) of the National Cybersecurity Agency, ACN, has detected a massive attack using an already circulating ransomware targeting VMware ESXi servers.”
According to many national experts I interviewed, and based on my analyses, the affected systems are in the order of just over a dozen. But then why use the term “massive”?
Is it probable that there are systems of which for some reason we have no visibility and which have been exposed with such superficiality?
Why are these systems not visible to the international expert community? Are they sensitive systems? And if so why would they be managed in a pedestrian way?
Another possibility is that excessive prominence has been given to a much less dangerous threat than what was imagined.
Unfortunately, flaws like the one targeted by these attacks are very common, even in VMware systems themselves, and in recent months we have observed several campaigns that have affected not dozens of systems, but hundreds of thousands of servers and devices worldwide.
Lockbit ransomware gang hits children’s hospital, then apologizes. What’s the lesson?
by Pierluigi Paganini
So what to do?
It is important to properly configure the target systems by updating them and not exposing them to the network. Not only that: it is also necessary to update the plethora of systems of which we have no visibility and which are present within the networks of Italian companies. In fact, once an attacker has breached the networks, he could find himself in front of these vulnerable systems and from there carry out a wide range of malicious activities by exploiting a flaw such as the CVE-2021-21974.
In summary, it is essential to maintain a high level of alert, also in light of the current geopolitical situation, but not to allow ourselves to be carried away by unnecessary and unjustified alarmism at this stage.