Outbreak AlertVMware ESXi Server Ransomware Attack
Ransomware targeting VMware ESXi OpenSLP vulnerability
ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability (CVE-2021-21974) and OpenSLP remote code execution vulnerability (CVE-2020-3992) are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption. Learn More »
Common Vulnerabilities and Exposures
Background
October 20, 2020: VMWare released a patch and advisory for CVE-2020-3992. https://www.vmware.com/security/advisories/VMSA-2020-0023.html February 23, 2021: VMWare released a patch and advisory for CVE-2021-21974. https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Threat Radar Overall Score:
 |
CVSS Rating | 9.0 |
 |
FortiRecon Score | 92/100 |
 |
Known Exploited | Yes |
 |
Exploit Prediction Score | 87.96% |
 |
FortiGuard Telemetry | 6 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
February 03, 2023: CERT-FR posted an advisory for attack campaigns targeting vulnerable and unpatched VMware ESXi hypervisors with the aim of deploying ransomware. https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/
FortiGuard Labs is aware of exploitation reported in the wild. Fortinet's customer remain protected by the IPS signatures released to detect and block any attack attempts related to the vulnerability (CVE-2021-21974, CVE-2020-3992) and has recently added Antivirus detections to block "ESXiArgs" ransomware attacks.
The attack is primarily targetting ESXi servers in version before 7.0 U3i, through the OpenSLP port (427). To check your version of ESXi, please refer to your server page in your customer interface and steps to disable SLP service. https://kb.vmware.com/s/article/7637
February 07, 2023: CISA Releases ESXiArgs Ransomware Recovery Script. https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
IPS
-
Outbreak Detection
-
Threat Hunting
-
Content Update
-
Assisted Response Services
-
Automated Response
-
InfoSec Services
-
Attack Surface Monitoring (Inside & Outside)
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
References
Sources of information in support and relation to this Outbreak and vendor.