VMware servers around the world suffer an extensive targeted ransomware attack, largest non-windows ransomware cyberattack on record. Here’s what you need to know and do
What happened?
French Computer Emergency Response Team and Italy’s national cybersecurity authority (ACN) officially warned organizations worldwide against a ransomware attack targeting thousands of VMware ESXI servers, exploiting a known vulnerability which was patched back in February 2021 (CVE-2021-21974).
As these servers provide services to thousands of other servers, which they store, the impact seems to be widespread globally, affecting organizations in France, Finland, Italy, Canada and the US.
VMware described the weakness as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code.
Who is affected ?
Everyone who is running Unpatched (CVE-2021-21974) ESXi machines, exposed to the internet with port 427.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
Using a specific Censys query, we can see there are already more than 1,900 of infected ESXi devices, while most of the victims are from OVH and Hetzner service providers.
OVH offers bare metal machines with option to install ESXi on them. In many cases, customers then expose them to the internet and never patch.
On February 3rd, OVH released a blog saying that they closed off port 427 for their customers, to mitigate the threat.
What do we know by now?
Largest ransomware non-Windows attack on record
This massive attack on ESXi servers is considered one of the most extensive ransomware cyberattack ever reported on non-Windows machines. What makes the situation even more worrying is the fact that until recently, ransomware attacks were more focused on Windows-based machines. The ransomware threat actors have realized how crucial Linux servers are for the systems of institutions and organizations. This has certainly prompted them to invest in the development of such a powerful cyber weapon and to make ransomware so sophisticated.
According to our current analysis, the risk of this ransomware attack is not limited only the specific targeted service providers. Cybercriminals exploited CVE-2021-21974, a flaw already reported in February 2021. But what can make the impact even more devastating is the use of these servers, on which other virtual servers are usually running. Thus, the damage is probably widespread, more than initially reported.
The evolution of Ransomware
In the early days, ransomware attacks were conducted by single entities who developed and distributed massive numbers of automated payloads to randomly selected victims, collecting small sums from each “successful” attack. Fast forward to 2023 and these attacks have evolved to become mostly human-operated processes, carried out by multiple entities over several weeks. The attackers carefully select their victims according to a desired profile, and implement a series of pressure measures to extort significant sums of money. Threats of exposing sensitive data have proven to be very effective.
Ransomware attacks impact on corporates (2022)
Check Point’s ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – the intelligence and research arm of Check Point Software.
According to our data, globally, at least 1 out of every 13 organizations suffered an attempted Ransomware attack in the past year.
- In APAC – 1 in 11 organizations
- In EMEA – 1 in 12 organizations
- In the Americas – 1 in 19 organizations
Analysis of the initial threat indications as seen by CPIRT (Incident Response Services) in 2022 indicates that almost 50% of investigations involve ransomware infections. CPIRT data shows that the biggest risks that are visible from a large corporate perspective – are full-blown ransomware attacks and full network compromises.
Mitigation
Check Point Quantum IPS protects from the network vulnerability that was exploited in this attack (CVE-2021-21974)
IPS protection name:
“VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)”
For protection of corporate serves on the cloud, CloudGuard for Cloud Network Security provides advanced threat prevention and automated cloud network security through a virtual security gateway, with unified security management.
VMware published workarounds to assist server owners with mitigating the risk of the CVE’s exploitation. OVHcloud provided recommendations including emergency measures to OVHcloud customers using ESXi.
VMware’s full advisory and recommendations in response to the CVE can be found here: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
How to prevent the next Ransomware Attack
- Up-to-Date Patches: Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
- Keep your software updated. Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Fortunately, some developers are actively searching for new vulnerabilities and patching them out. If you want to make use of these patches, you need to have a patch management strategy in place—and you need to make sure all your team members are constantly up to date with the latest versions.
- Intrusion Prevention Systems detect or prevent attempts to exploit weaknesses in vulnerable systems or applications, protecting you in the race to exploit the latest breaking threat. Check Point IPS protections in our Next Generation Firewall are updated automatically. Whether the vulnerability was released years ago, or a few minutes ago, your organization is protected
- Choose Prevention over detection: Many claim that attacks will happen, and there is no way to avoid them, and therefore the only thing left to do is to invest in technologies that detect the attack once it has already breached the network and mitigate the damage as soon as possible. This is not true. Not only can attacks be blocked, but they can be prevented, including zero-day attacks and unknown malware. With the right technologies in place, most attacks, even the most advanced ones, can be prevented without disrupting the normal business flow.
- Robust Data Backup: The goal of ransomware is to force the victim to pay a ransom to regain access to their encrypted data. However, this is only effective if the target loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent. However, it is important to ensure that the data backup solution cannot be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.
- Anti-Ransomware Solutions: While the previous ransomware prevention steps can help to mitigate an organization’s exposure to ransomware threats, they do not provide perfect protection. Some ransomware operators use well-researched and highly targeted spear phishing emails as their attack vector. These emails may trick even the most diligent employee, resulting in ransomware gaining access to an organization’s internal systems. Protecting against this ransomware that “slips through the cracks” requires a specialized security solution. To achieve its objective, ransomware must perform certain anomalous actions, such as opening and encrypting large numbers of files. Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done
When you are using Check Point to secure your business, you gain accurate prevention against the most advanced attacks through the power of ThreatCloud. ThreatCloud updates newly revealed threats and protections in real-time across Check Point’s entire portfolio