Nearly 19,000 ESXi Servers Still Vulnerable to CVE-2021-21974

Forums Security News (Security) Nearly 19,000 ESXi Servers Still Vulnerable to CVE-2021-21974

Tagged: 

  • This topic is empty.
Viewing 0 reply threads
  • Author
    Posts
    • March 5, 2023 at 10:00 pm #66749
      Telegram SmartBoT
      Moderator
      • Topic 5959
      • Replies 0
      • posts 5959
        @tgsmartbot

        #News(Security) [ via IoTGroup ]

        Last week multiple organizations issued warnings that a ransomware campaign dubbed “ESXiArgs” was targeting VMware ESXi servers allegedly by leveraging CVE-2021-21974—a nearly two-year-old heap overflow vulnerability.And yet Rapid7 research has found that a significant number of ESXi servers likely remain vulnerable.

        We believe with high confidence that there are at least 18 581 vulnerable internet-facing ESXi servers at the time of this writing.We leverage the TLS certificate Recog signature to determine that a particular server is a legitimate ESXi server.Then after removing likely honeypots from the results we checked the build ids of the scanned servers against a list of vulnerable build ids.

        We have also observed additional incidents targeting ESXi servers unrelated to the ESXiArgs campaign that possibly also leverage CVE-2021-21974.RansomExx2—a relatively new strain of ransomware written in Rust and targeting Linux has been observed exploiting vulnerable ESXi servers.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a ransomware decryptor to help victims recover from ESXiArgs attacks.The script works by allowing users to unregister virtual machines that have been encrypted by the ransomware and re-register them with a new configuration file.The main benefit of the decryptor script is that it enables users to bring virtual machines back to a working state while data restore from backup occurs in the background.

        This is particularly useful for users of traditional backup tools without virtualization-based disaster recovery capabilities.Deny access to servers.Some victims of these attacks had these servers exposed to the open internet but could have gotten just as much business value out of them by restricting access to allowlisted IP addresses.If you are running an ESXi server or any server default to denying access to that server except from trusted IP space.Patch vulnerable ESXi Servers.VMware issued a patch

        Read More..
        AutoTextExtraction by Working BoT using SmartNews 1.03976805238 Build 04 April 2020

    • Author
      Posts
    Viewing 0 reply threads
    • You must be logged in to reply to this topic.