Skip to the content.

DIVD-2023-00007 - Global VMware ESXi Ransomware Attack

Our reference DIVD-2023-00007
Case lead Ralph Horn
Author Max van der Horst
Researcher(s)
CVE(s)
Product VMware ESXi
Versions
  • ESXi 7.x prior to ESXi70U1c-17325551
  • ESXi 6.7.x prior to ESXi670-202102401-SG
  • ESXi 6.5.x prior to ESXi650-202102101-SG
  • ESXi version 6.4.x and earlier
  • ESXI 5.x
Recommendation Upgrade your ESXi server to the fixed versions ESXi70U1c-17325551 (7.0), ESXi670-202102401-SG (6.7) or ESXi650-202102101-SG (6.5).
Status Closed
Last modified 18 Apr 2023 12:00

Summary

On February 3rd, DIVD became aware of an ongoing global ransomware attack using VMware ESXi servers vulnerable to CVE-2021-21974. This vulnerability is caused by a heap overflow issue in the OpenSLP service that can be exploited by an unauthenticated threat actor. The attack primarily seems to be taking place through the OpenSLP port, which is TCP or UDP port 427.

What you can do

Update your ESXi hypervisor to one of the mentioned patched versions as soon as possible.

What we are doing

DIVD is currently gathering data and scanning to identify systems (potentially) vulnerable to CVE-2021-21974, which are potential targets for this ransomware attack. The parties responsible for ip space containing servers found to be vulnerable to CVE-2021-21974 will receive notification with instructions on how to resolve this issue.

Timeline

Date Description
03 Feb 2023 DIVD takes notice of global attacks.
03 Feb 2023 DIVD starts cooperation with NCSC-NL.
04 Feb 2023 DIVD starts scanning for first targetlist.
06 Feb 2023 DIVD sends out first round of notifications.
07 Mar 2023 Spreading of malware seems to be over, DIVD monitors the situation.
18 Apr 2023 Case closed.
gantt title DIVD-2023-00007 - Global VMware ESXi Ransomware Attack dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00007 - Global VMware ESXi Ransomware Attack (74 days) :2023-02-03, 2023-04-18 section Events DIVD takes notice of global attacks. : milestone, 2023-02-03, 0d DIVD starts cooperation with NCSC-NL. : milestone, 2023-02-03, 0d DIVD starts scanning for first targetlist. : milestone, 2023-02-04, 0d DIVD sends out first round of notifications. : milestone, 2023-02-06, 0d Spreading of malware seems to be over, DIVD monitors the situation. : milestone, 2023-03-07, 0d Case closed. : milestone, 2023-04-18, 0d

More information