Amaru’s MDR is aware of an active ransomware campaign targeting unpatched VMware ESXi hosts facing the public internet. On February 3rd, 2023 the French National CERT first reported a threat actor campaign targeting VMware ESXi hypervisors with the aim of deploying ransomware. The initial access vector is CVE-2021-21974, a vulnerability that allows an attacker to remotely execute arbitrary code.
A patch for CVE-2021-21974 has been available since February 23, 2021. CVE-2021-21974 affects the following ESXi versions:
• ESXi 7.x versions earlier than ESXi70U1c-17325551
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG
// What you should do
Ensure that all patches available for ESXi hypervisors have been applied.
// What Amaru MDR (Managed Detection and Response) is doing
For customers subscribed to our MDR service, we are continuing to perform threat hunts to identify potential indicators of related suspicious activity and for signs of post-exploitation tactics. We will notify you should any suspicious or malicious behaviour is observed in your estates.
Amaru MDR is continuing to monitor private and public threat intelligence.
// References
CERT-FR
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/
VMWare
https://www.vmware.com/security/advisories/VMSA-2021-0002.html