DIVD-2023-00007 - Global VMware ESXi Ransomware Attack
| Our reference | DIVD-2023-00007 |
| Case lead | Ralph Horn |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Product | VMware ESXi |
| Versions |
|
| Recommendation | Upgrade your ESXi server to the fixed versions ESXi70U1c-17325551 (7.0), ESXi670-202102401-SG (6.7) or ESXi650-202102101-SG (6.5). |
| Status | Closed |
| Last modified | 18 Apr 2023 12:00 CEST |
Summary
On February 3rd, DIVD became aware of an ongoing global ransomware attack using VMware ESXi servers vulnerable to CVE-2021-21974. This vulnerability is caused by a heap overflow issue in the OpenSLP service that can be exploited by an unauthenticated threat actor. The attack primarily seems to be taking place through the OpenSLP port, which is TCP or UDP port 427.
What you can do
Update your ESXi hypervisor to one of the mentioned patched versions as soon as possible.
What we are doing
DIVD is currently gathering data and scanning to identify systems (potentially) vulnerable to CVE-2021-21974, which are potential targets for this ransomware attack. The parties responsible for ip space containing servers found to be vulnerable to CVE-2021-21974 will receive notification with instructions on how to resolve this issue.
Timeline
| Date | Description |
|---|---|
| 03 Feb 2023 | DIVD takes notice of global attacks. |
| 03 Feb 2023 | DIVD starts cooperation with NCSC-NL. |
| 04 Feb 2023 | DIVD starts scanning for first targetlist. |
| 06 Feb 2023 | DIVD sends out first round of notifications. |
| 07 Mar 2023 | Spreading of malware seems to be over, DIVD monitors the situation. |
| 18 Apr 2023 | Case closed. |
More information
- CVE-2021-21974
- Bleeping Computer blog
- OVHcloud blog
- VMware Build Numbers for ESXi
- Known Indicators of Compromise