The surge of ransomware attacks against internet-exposed flawed ESXi servers has forced VMware to warn their customers to update their latest security updates and disable the OpenSLP service.
Based on reports, threat actors cannot exploit a zero-day flaw in this service since it is disabled by default in the ESXI software release. In addition, hackers have targeted products far from the latest patch or in their end-of-life.
According to VMware, their team did not find evidence that the threat actors used unknown vulnerabilities to spread their ransomware. VMware products in the state of End of General Support are the primary targets of the threat actors since hackers could easily exploit them.
Hence, VMware representatives advise their customers to update their products to the latest available releases of vSphere components to address the currently identified zero days. They also recommended that users should disable the OpenSLP service in ESXi.
The exploits against the ESXi servers have been rising in the previous months.
The rise of ransomware attacks against VMware users is significantly influenced by the first set of threat actors who started encrypting the outdated ESXi servers against an OpenSLP CVE exploitable and could provide RCE.
This incident revealed the ESXiArgs ransomware that threat actors have launched as part of a massive operation that has already compromised thousands of vulnerable targets globally.
The hackers utilise the ESXiArgs malware to encrypt [.]vmx, [.]vmdk, [.]vmxf, [.]vmsd, and [.]nvra on infected ESXi servers and launch ransom notes.
A researcher analysed a sample of the ESXiArgs encryptor and revealed that it is a secure encryptor with no cryptography flaws that would enable decryption. Fortunately, separate researchers disclosed a guide that could help VMware admins affected by these exploits to rebuild their virtual devices and retrieve their data without releasing funds.
Numerous public forums provide information and technical details regarding the ESXiArgs to support admins. Lastly, there is a dedicated ESXiArgs support topic where victims report their situations against these attacks and could receive help from experts in recovering their lost files.
