Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks

by | Feb 2, 2021

VMWare ESXi vulnerabilities

Post Views: 4,106

style="display:block" data-ad-client="ca-pub-6620833063853657" data-ad-slot="8337846400" data-ad-format="auto" data-full-width-responsive="true">
 
 
 

 

 

Reading Time: 1 Minute

 

 

Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild.

 

 

 
  

 

At least one major ransomware gang is abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.

The attacksfirst seen last October, have been linked to intrusions carried out by a criminal group that deployed the RansomExx ransomware.

According to multiple security researchers who spoke with ZDNet, evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992, two vulnerabilities in VMware ESXi, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.

Both bugs impact the Service Location Protocol (SLP), a protocol used by devices on the same network to discover each other; also included with ESXi.

 
See Also: Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many Projects

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

 

The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it, even if the attacker has not managed to compromise the VMWare vCenter server to which the ESXi instances usually report to.

In attacks that have taken place last year, the RansomExx gang has been seen gaining access to a device on a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks, used to store data from across virtual machines, causing massive disruptions to companies, as ESXi virtual disks are usually used to centralize data from multiple other systems.

Reports of these attacks have beendocumented on Redditshared on Twitterpresented at a security conference last month, and confirmed in interviews with ZDNet over the past two months.

 

 

See Also: Offensive Security Tool: JTR – John the Ripper

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

 

For now, only the RansomExx (also known as Defray777) gang has been seen abusing this trick, but in a mysterious update last month, the operator of the Babuk Locker ransomware has also announced an eerily similar feature —although successful attacks have not yet been confirmed.

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

See Also:SolarWinds Supply Chain Hack – The hack that shone a light on the gaps in the cybersecurity of governments and big companies

 

 

 

System administrators at companies that rely on VMWare ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn’t needed.

 
 

 

 

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

 

 

Source: www.zdnet.com

 

 

 
(Click Link)

 

 

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This