More than 500 VMware ESXi servers across Europe have been infected with the ESXiArgs ransomware
between Feb. 11 and 12 but questions remain on the vulnerability targeted by attackers, according to SecurityWeek
Censys researchers discovered two servers with ransom notes similar to those leveraged in attacks last October before being updated on Jan. 31 to resemble those being used in the ongoing attacks. All ransom notes were found to resemble those issued in Cheerscrypt ransomware attacks against ESXi servers last spring. While most ESXiArgs attacks are believed to have involved the exploitation of CVE-2021-21974, threat actors may have also leveraged CVE-2019-5544 and CVE-2020-3992 in the attacks, noted GreyNoise.
"VMware currently has no evidence to support that a new vulnerability is being used to propagate recent ransomware attacks, but there is also no evidence that CVE-2021-21974 is the only attack vector, either. The media has speculated about the involvement of CVE-2022-31699, CVE-2021-21995, CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544 but it is very likely that the attackers are using any vulnerability that is accessible to them. VMware is continuing to investigate," said VMware.