Ransomware attacks target VMware ESXi servers - action is urgently recommended!
Ransomware attacks target VMware ESXi servers - action is urgently recommended!
(PL) Via the internet platform Bleeping Computer (link Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide (bleepingcomputer.com) ) have reported an increasing number of ransomware attacks affecting VMware ESXi servers since 3 February. This affects servers that have not been patched against a vulnerability for remote code execution that has been known for 2 years. This vulnerability allows attackers to install a new ESXiArgs ransomware. This makes it possible to encrypt the data stored on the servers. The attackers then demand a ransom payment for decryption, a technique frequently used in the field of cybercrime
The German Federal Office for Information Security has now declared the second-highest threat level "3/Orange". The severity level is rated at 8.8 points in the Common Vulnerability Scoring System (CVSS). G Data reported attacks via the Nevada ransomware. Alongside France, the USA and Canada, Germany is considered the main target. It is not yet known which hacker group is behind the attack or whether it is a well-networked individual perpetrator.
We recommend that administrators immediately close the security gap with the update provided by VMware 2021. Until the update is completed, you should deactivate the Location Protocol (SLP). In the event that your system has already been accessed, we recommend that you do not respond to such a ransom demand under any circumstances. Report the attack to the authorities immediately and contact our IT security specialists. We will be happy to help you deal with cyberattacks and also help you to be prepared against attacks of this kind.
The most important facts at a glance:
Who is affected? Users of VMware ESXi servers. The affected system versions are 6.5.x, 6.7.x and 7.x
For information on the affected vulnerability, click here: VMSA-2021-0002 (vmware.com)
BSI threat level: 3/Orange
Type of attack: Server encryption via ransomware
Attacker: Unknown
Ransomware: Nevada
To Do: Close the security gap with an update. All information can be found here: How to Disable/Enable the SLP Service on VMware ESXi (76372) )
As a workaround until then, it is recommended that administrators disable the "Location Protocol (SLP)" service on ESXi hypervisors.
