Ransomware, Vulnerability Management, Threat Management

Questions remain amid ESXi ransomware attack surge

More than 500 VMware ESXi servers across Europe have been infected with the ESXiArgs ransomware between Feb. 11 and 12 but questions remain on the vulnerability targeted by attackers, according to SecurityWeek. Censys researchers discovered two servers with ransom notes similar to those leveraged in attacks last October before being updated on Jan. 31 to resemble those being used in the ongoing attacks. All ransom notes were found to resemble those issued in Cheerscrypt ransomware attacks against ESXi servers last spring. While most ESXiArgs attacks are believed to have involved the exploitation of CVE-2021-21974, threat actors may have also leveraged CVE-2019-5544 and CVE-2020-3992 in the attacks, noted GreyNoise. "VMware currently has no evidence to support that a new vulnerability is being used to propagate recent ransomware attacks, but there is also no evidence that CVE-2021-21974 is the only attack vector, either. The media has speculated about the involvement of CVE-2022-31699, CVE-2021-21995, CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544 but it is very likely that the attackers are using any vulnerability that is accessible to them. VMware is continuing to investigate," said VMware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.