The Cybersecurity and Infrastructure Security Agency (CISA) is stepping up efforts to help thousands of VMware customers hammered in waves of ransomware attacks exploiting a two-year old security vulnerability.
“CISA is working with our public and private sector partners to assess the impacts of these reported incidents and provide assistance where needed,” a CISA spokesperson told SC Media. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”
[Editor's Note: For an update to CISA's efforts to help VMware ESXi ransomware victims see CISA releases ESXiArgs-recovery tool for VMware ransomware victims]
The large-scale ransomware attacks are ongoing and have targeted thousands of VMware ESXi servers worldwide, with many more unpatched servers at high risk of exploitation, according to experts.
Europe is the worst-affected region, while North America also has a high number of targets, according to Italy’s National Cybersecurity Agency, one of the first few agencies sending out the alert over the weekend.
3,200 VMware servers compromised
A VMware spokesperson told SC Media that the hack exploits a two-year-old VMware vulnerability, identified as CVE-2021-21974. Given that a patch was made available back in February 2021, customers should immediately apply it if they have not done so, the spokesperson said.
Nearly 3,200 VMware ESXi servers worldwide have been compromised in this ransomware campaign, dubbed as ESXiArgs, according to a Censys search via Bleeping Computer. France is the most affected country, followed by the United States, Germany and Canada.
U.S. cybersecurity officials said they are aware of the report and are working to assess the impacts. Beyond telling effected VMware customers to report incidents of attack against vulnerable ESXi servers, it's unclear what level of support CISA is offering.
One of CISA’s goals is fostering a public and private sector partnerships. In 2021, incoming CISA Director Jen Easterly announced the formation of a Joint Cyber Defense Collaborative (JCDC). Over 20 cybersecurity firms are part of the collaborative, with ransomware being the group’s initial focus.
A past example of CISA’s JCDC collaboration with the private sector was assisting with remediation efforts for Log4Shell. At the time, CISA created a Slack channel to share near-real time threat intelligence and created a clearinghouse of information on the threat. It also helped the private sector to take collective action to reduce Log4Shell risks.
Patrick Tiquet, VP of security and architecture at Keeper Security, said that the incidents exemplify the inadequacies of patching within the security community.
“VMware shared these vulnerabilities and released the update to remediate them nearly two years ago,” Tiquet said. “It should come as no surprise that threat actors are now taking advantage of known vulnerabilities at organizations that failed to deploy the security patches.”
And considering the ubiquity, criticality, and increasingly broad adoption of technologies like ESXi, it should be at the top of patching priorities, Jack Danahy, VP of strategy and innovation at NuHarbor Security, added.
Boris Cipot, senior security engineer from Synopsys Software Integrity Group, said that “a planned procedure” and “a thorough approach” are needed to patch the software efficiently and avoid similar incidents in the future.
