Vulnerability Management, Threat Management

Security researchers double-down on the need to patch VMware ESXi servers

The VMware website is displayed on a computer screen.

Security teams should redouble efforts to patch the two-year-old VMware ESXi server vulnerability that reportedly hit thousands of VMware customers worldwide with ransomware attacks.

According to a March 20 blog post from AT&T Cybersecurity, organizations that have not run the patch are at risk of becoming a victim of the latest ransomware.

Nearly 3,200 VMware ESXi servers worldwide were compromised in the ransomware campaign — dubbed as ESXiArgs — according to a Censys search. France was the most affected country, followed by the United States, Germany and Canada.

At the time the news of ESXiArgs broke in early February, a VMware spokesperson said given that a patch for the vulnerability — CVE-2021-21974 — was made available in February 2021, customers should immediately apply it if they have not done so.

A VMware spokesperson issued a statement Monday: "The recent ransomware attacks on out-of-date software were yet another reminder that virtual infrastructure must be proactively hardened against cyber threats. VMware continues to remind customers how to harden their on-premises instances of vSphere, install updates without down-time, and better configure ESXi to defend against malware threats"

Security researchers contacted by SC Media confirmed the need for security teams to prioritize a patch on their ESXi servers.

“This vulnerability was first noted publicly in 2021 and as seen in recent news reports, the issue is currently exploitable,” said Lorri Janssen-Anessi, director, external cyber assessments at BlueVoyant. “Threat actors will continue to target this as other long-standing vulnerabilities as long as organizations are vulnerable.”

Janssen-Anessi said security teams should install updates of VMware ESXi immediately. If they are unable to update, Janssen-Anessi said organizations should configure their system to minimize risks, including disabling the port the ransomware is targeting. In addition, all organizations that use the VMware-affected software should run full system scans to detect any signs of compromise. 

“Given that this particular vulnerability has been publicly known for two years and has known exploits associated with it, enterprises should consider this a high priority fix,” said Janssen-Anessi. “If organizations have not yet patched their VMware vulnerabilities, the risk of a ransomware attack can be serious. Multiple governments have recently issued warnings about the risk and it appears multiple ransomware gangs may be using the vulnerability to spread malware.”

Patrick Tiquet, vice president, security and architecture at Keeper Security, said the longer organizations neglect known vulnerabilities, the more serious they become, especially once the vulnerabilities are widely reported in trade publications and mainstream media outlets.

Tiquet said the moment a cybercriminal learns about a vulnerability, they can begin work to exploit it.

“The more time the bad actor has, the more sophisticated they can potentially make the attack,” said Tiquet. “After isolating an affected server, the organization should check for signs of further compromise. After evaluating and remedying the impact, the organization should then reinstall the latest version of the hypervisor and deploy the latest security patches. Security teams should also evaluate the policies and procedures that allowed them to neglect a crucial security update. This ransomware attack campaign perfectly exemplifies why software updates are a critical component of cybersecurity.”

Mike Parkin, senior technical engineer at Vulcan Cyber, added that the fresh advisory from AT&T Cybersecurity reminds us that even when vulnerabilities are announced and patches released, not everyone gets the message. 

“Considering how widely used ESXi is worldwide, it's actually a little surprising to see this many targets get hit with a two-year-old exploit,” said Parkin. “I would suggest that this is a good example of the ‘long tail’ phenomenon, where the majority of vulnerable systems are fixed quickly, but we see an ever-decreasing share of stragglers still out there quite a while after everyone else is fixed.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.