8.Locks HexConnections CodeGlobe

An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago.

The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what’s known as a bare-metal, or Type 1, hypervisor, meaning it’s essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as Oracle’s VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes, such as Windows, Linux, or, less commonly, macOS. 

Advisories published recently by computer emergency response teams (CERT) in FranceItaly, and Austria report a “massive” campaign that began no later than Friday and has gained momentum since then. Citing results of a search on Census, CERT officials in Austria, said that as of Sunday, there were more than 3,200 infected servers, including eight in that country.

“Since ESXi servers provide a large number of systems as virtual machines (VM), a multiple of this number of affected individual systems can be expected,” the officials wrote.

The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that’s incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.