Hackers are mass infecting servers worldwide by exploiting a patched hole
source link: https://arstechnica.com/information-technology/2023/02/hackers-are-mass-infecting-servers-worldwide-by-exploiting-a-patched-hole/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
ONGOING ATTACK CAMPAIGN —
Hackers are mass infecting servers worldwide by exploiting a patched hole
Servers running unpatched versions of ESXi are sitting ducks for ESXiArgs attacks.
Dan Goodin - 2/6/2023, 9:32 PM
An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday.
The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what’s known as a bare-metal, or Type 1, hypervisor, meaning it’s essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as Oracle’s VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes, such as Windows, Linux, or, less commonly, macOS.
Enter ESXiArgs
Advisories published recently by computer emergency response teams (CERT) in France, Italy, and Austria report a “massive” campaign that began no later than Friday and has gained momentum since then. Citing results of a search on Census, CERT officials in Austria, said that as of Sunday, there were more than 3,200 infected servers, including eight in that country.
“Since ESXi servers provide a large number of systems as virtual machines (VM), a multiple of this number of affected individual systems can be expected,” the officials wrote.
The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that’s incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.
AdvertisementOver the weekend, French cloud host OVH said that it doesn’t have the ability to patch the vulnerable servers set up by its customers.
“ESXi OS can only be installed on bare metal servers,” wrote Julien Levrard, OVH’s chief information security officer. “We launched several initiatives to identify vulnerable servers, based on our automation logs to detect ESXI installation by our customers. We have limited means of action since we have no logical access to our customer servers.”
In the meantime, the company has blocked access to port 427 and is also notifying all customers it identifies as running vulnerable servers.
Levrard said the ransomware installed in the attacks encrypts virtual machine files, including those ending in .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem. The malware then tries to unlock the files by terminating a process known as VMX. The function isn’t working as its developers intended, resulting in the files remaining locked.
Researchers have dubbed the campaign and the ransomware behind it ESXiArgs, because the malware creates an additional file with the extension “.args” after encrypting a document. The .args file stores data used to decrypt encrypted data.
Researchers from the YoreGroup Tech Team, Enes Sonmez and Ahmet Aykac, reported that the encryption process for ESXiArgs can make mistakes that allow victims to restore encrypted data. OVH’s Levrard said his team tested the restoration process the researchers described and found it successful in about two-thirds of the attempts.
Anyone who relies on ESXi should stop whatever they’re doing and check to ensure patches for CVE-2021-21974 have been installed. The above-linked advisories also provide more guidance for locking down servers that use this hypervisor.
Recommend
-
57
Exploiting Jolokia Agent with Java EE Servers
-
10
A hacking group has installed crypto mining malware into a company server through a weakness in Salt, a popular infrastructure tool used by the likes of IBM, LinkedIn and eBay. Blogging platform Ghost said Sunday...
-
5
SOMEONE'S KNOCKING ON THE DOOR — Hackers are exploiting a backdoor built into Zyxel devices. Are you patched? Recently discovered account with admin rights is hardcoded into multiple devic...
-
8
PULSE SECURE — Hackers are exploiting a Pulse Secure 0-day to breach orgs around the world Exploits allow state-backed hackers to bypass 2FA and breach defense contractors....
-
6
WordPress websites are more vulnerable to exploits Fancy Product Designer, a WordPress plugin used on over 17,000 websites, contains a critical file upload vulnerability that is currently being
-
8
Hackers Are Getting Caught Exploiting New Bugs More Than EverA pair of reports from Mandiant and Google found a spike in exploited zero-day vulnerabilities in 2021. The question is, why?
-
5
Exploiting the exploits — Hackers are exploiting 0-days more than ever Mandiant and Google both reported a spike in 0-day bugs in 2021.
-
4
Meta announces mass layoff of more than 11,000 employees worldwide...
-
6
'Mylobot' botnet infecting 50,000 devices per day worldwide...
-
7
THIS IS NOT A DRILL — Mass exploitation of Ivanti VPNs is infecting networks around the globe Orgs that haven't acted yet should, even if it means suspending VPN services.
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK