Alert essentials:
Thousands of VMware ESXi servers in Italy and other countries were targeted with global ransomware activity. CVE-2021-21974 was patched in 2021, yet unpatched servers were used to access networks in the attack.
Detailed threat description:
VMware ESXi hypervisors monitor virtual machines and are found in many network environments. On Friday, February 3rd, a global ransomware campaign began attacking ESXi servers with CVE-2021-21974. The remote code execution vulnerability has had a patch available for two years, but thousands of unpatched servers were infected recently. ESXiArgs is a widespread ransomware campaign targeting Italy, Germany, and the U.S. Possibly tied to other strains of ransomware, ESXiArgs is ongoing, and it is highly advised to update ESXi servers to the most recent version as soon as possible. Fortified VTM clients can search for this vulnerability within your networks by using plugin ID 146827 in the dashboard.
Impacts on healthcare organizations
This campaign spreads ransomware and all mission-critical systems could be impacted or rendered unavailable in the event of an attack and further proliferation within a victim’s network.
Many healthcare organizations employ ESXi systems, so the potential for impact is substantial. While some victims may suffer limited impact, that is usually not the case. Ransomware often propagates automatically to numerous systems on a network, which raises concerns beyond the systems hosted in an ESXi environment. The impacts can be as minimal as affecting a few systems or services, or as significant as rendering much of a network inaccessible or inoperable.
Affected products / versions
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
CVEs
- CVE-2021-21974
IPs used by scanners during the attack
- 104.152.52.55
- 43.130.10.173
- 178.62.44.152
- 46.17.96.41
- 146.0.75.2
- 193.163.125.138
- 152.89.196.211
Recommendations
Engineering recommendations:
- Perform version upgrades to affected systems following appropriate testing
- Review the systems that interact with those hosted in an ESXi environment
- Ensure deployment of endpoint detection and response toolsets where able
- If unable, consider minimizing the impact through the system and network segmentation as well as role-based access and network access controls
Leadership / Program recommendations:
- Considering the seemingly unwavering preference of the ransomware threat, consider advanced response mechanisms such as Endpoint Detection and Response technologies
- Review IR Plans and dedicate a procedure and organization preparedness around a Ransomware threat
- Review and understand system recovery capabilities and limitations via Recovery Time and Recovery Point Objectives
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References: