Large-scale ransomware campaign exploiting VMware ESXi vulnerabilities to encrypt virtual machines and disrupt business operations. Attackers leverage CVE-2021-21974 to compromise unpatched systems globally.
A significant ransomware campaign dubbed 'ESXiArgs' is actively targeting VMware ESXi hypervisors worldwide, primarily exploiting CVE-2021-21974, a two-year-old heap overflow vulnerability in the OpenSLP service. The attack has impacted thousands of servers across multiple countries, with particularly high concentrations in France, Germany, and North America. The ransomware specifically targets ESXi virtual machines, encrypting VM files (including .vmdk, .vmx, .vmxf, and .nvram) and effectively disrupting organizations' virtualized infrastructure. The campaign demonstrates sophisticated targeting of enterprise virtualization platforms, potentially causing widespread business disruption due to the critical nature of affected systems.
A widespread ransomware campaign is actively targeting VMware ESXi hypervisors, exploiting known vulnerabilities to encrypt virtual machines and associated files. The attack, identified as 'ESXiArgs,' has affected thousands of servers globally, with significant impact on critical business operations.
The primary attack vector is CVE-2021-21974, a heap overflow vulnerability in the OpenSLP service of ESXi that allows for remote code execution. This vulnerability affects ESXi versions 6.5, 6.7, and 7.0.
The ransomware specifically targets files essential to virtual machine operations:
The encryption process utilizes a combination of symmetric and asymmetric encryption, making recovery without the decryption key extremely difficult. The ransomware also attempts to stop virtual machines before encryption and removes VM snapshots to prevent easy recovery.
Immediate actions required:
Multiple malicious packages discovered in PyPI and npm repositories executing credential theft and crypto mining payloads. Supply chain attacks leverage typosquatting and dependency confusion techniques to compromise development environments.
A critical authentication bypass vulnerability in ConnectWise ScreenConnect (CVE-2024-1709) is being actively exploited in the wild. The flaw allows attackers to gain unauthorized administrative access and execute remote code on affected systems.
Critical authentication bypass and command injection vulnerabilities in Ivanti Connect Secure VPN are being actively exploited in the wild. Threat actors are deploying web shells and maintaining persistence in compromised environments.
Chinese state-sponsored threat actor Salt Typhoon (aka Bronze Silhouette) conducts persistent intrusion campaign against US telecommunications providers. The group employs sophisticated living-off-the-land techniques and custom malware to maintain long-term access to critical infrastructure.