Vulnerability to original ESXi ransomware campaign still elevated

Despite having a patch released two years ago, at least 18,581 VMware ESXi servers were found by Rapid7 researchers to still be vulnerable to CVE-2021-21974, which has been exploited in initial attacks that were part of the ESXiArgs ransomware campaign, reports The Record, a news site by cybersecurity firm Recorded Future. "We have also observed additional incidents targeting ESXi servers, unrelated to the ESXiArgs campaign, that possibly also leverage CVE-2021-21974. RansomExx2 a relatively new strain of ransomware written in Rust and targeting Linux has been observed exploiting vulnerable ESXi servers," said Erick Galinkin of Rapid7. Such a development comes after attackers behind the campaign tweaked the ransomware strain to resist the decryptor issued by Cybersecurity and Infrastructure Security Agency. The novel ESXiArgs variant has already gained dominance, having compromised 1,252 servers, most of which have been reinfected. New incidents not leveraging CVE-2021-21974 have also been observed. "This kind of attack was bound to happen these services should never be on the internet. The internet-exposed VMware ESXi management interfaces are an incredibly high-value target for attackers because they could provide access to hundreds (or thousands) of hosted virtual machines with one exploit, potentially debilitating an organization if attackers can deny access," said Coalition Senior Security Engineer Scott Walsh.