{"id":413,"date":"2024-04-17T21:11:10","date_gmt":"2024-04-17T21:11:10","guid":{"rendered":"https:\/\/amaru.co.nz\/fj\/?post_type=threat-intelligence&#038;p=413"},"modified":"2024-04-23T16:20:41","modified_gmt":"2024-04-23T16:20:41","slug":"security-advisory-active-exploitation-of-unpatched-vmware-esxi-servers","status":"publish","type":"threat-intelligence","link":"https:\/\/amaru.co.nz\/fj\/blog\/threat-intelligence\/security-advisory-active-exploitation-of-unpatched-vmware-esxi-servers\/","title":{"rendered":"[Security Advisory]\u202fActive Exploitation of Unpatched VMware ESXi Servers"},"content":{"rendered":"<p>Amaru\u2019s MDR is aware of an active ransomware campaign targeting unpatched VMware ESXi hosts facing the public internet. On February 3rd, 2023 the French National CERT first reported a threat actor campaign targeting VMware ESXi hypervisors with the aim of deploying ransomware. The initial access vector is CVE-2021-21974, a vulnerability that allows an attacker to remotely execute arbitrary code.<\/p>\n<p>A patch for CVE-2021-21974 has been available since February 23, 2021. CVE-2021-21974 affects the following ESXi versions:<br \/>\n\u2022 ESXi 7.x versions earlier than ESXi70U1c-17325551<br \/>\n\u2022 ESXi versions 6.7.x earlier than ESXi670-202102401-SG<br \/>\n\u2022 ESXi versions 6.5.x earlier than ESXi650-202102101-SG<\/p>\n<p>\/\/ What you should do<\/p>\n<p>Ensure that all patches available for ESXi hypervisors have been applied.<\/p>\n<p>\/\/ What Amaru MDR (Managed Detection and Response) is doing<\/p>\n<p>For customers subscribed to our MDR service, we are continuing to perform threat hunts to identify potential indicators of related suspicious activity and for signs of post-exploitation tactics. We will notify you should any suspicious or malicious behaviour is observed in your estates.<\/p>\n<p>Amaru MDR is continuing to monitor private and public threat intelligence.<\/p>\n<p>\/\/ References<\/p>\n<p>CERT-FR<br \/>\nhttps:\/\/www.cert.ssi.gouv.fr\/alerte\/CERTFR-2023-ALE-015\/<\/p>\n<p>VMWare<br \/>\nhttps:\/\/www.vmware.com\/security\/advisories\/VMSA-2021-0002.html<\/p>\n","protected":false},"featured_media":416,"template":"","class_list":["post-413","threat-intelligence","type-threat-intelligence","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/threat-intelligence\/413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/types\/threat-intelligence"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/media\/416"}],"wp:attachment":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/media?parent=413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}