A massive automated ransomware campaign is targeting VMware ESXi hypervisors around the world, warns CERT-FR, the French government’s computer emergency readiness team that’s part of the National Cybersecurity Agency of France.
The attack exploiting a heap-overflow vulnerability in VMware ESXi tracked as CVE-2021-21974 was patched in February 2021. The vulnerability affects the Service Location Protocol service and allows an attacker to remotely exploit arbitrary code.
VMware’s ESXi is a hypervisor, meaning it’s designed to run virtual machines. VMware first issued a warning and patch for the flaw in February 2021, saying it was discovered and reported by Mikhail Klyuchnikov of Moscow-based security firm Positive Technologies.
VMware designated the vulnerability as “critical,” meaning it could be used by attackers to remotely execute any code they wanted on a vulnerable system and take full control of it.
“On February 3, 2023, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them. The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7,” according to CERT-FR.