March 2023 5V0-32-19 Exam Dumps

Security teams working to secure their organizations against a nearly two-year-old vulnerability in VMware's ESXi hypervisor technology that attackers suddenly began exploiting en masse last week must pay attention to all ESXi hosts in the environment, not just Internet-accessible ones.

That's the advice of security vendor Bitdefender after it analyzed the threat and discovered that attackers can exploit it in multiple ways.

Two-Year-Old Flaw

The vulnerability in question, CVE-2021-21974, is present in VMware's implementation of a service delivery protocol in ESXi called Open Service Location Protocol (OpenSLP). The vulnerability gives unauthenticated attackers the ability to remotely execute malicious code on affected systems without any user interaction.

VMware disclosed the vulnerability in February 2021 and issued a patch for it at the same time. Since then, attackers have targeted it heavily and made CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2023. On Feb. 3, France's computer emergency response team warned about bad actors exploiting CVE-2021-21974 to distribute a ransomware variant dubbed ESXiArgs ransomware on ESXi hosts around the world.

The widespread nature of the attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to try to recover their systems.

Martin Zugec, technical solutions director at Bitdefender, says though the initial compromise vector remains unknown, a popular theory is that it is via direct exploitation through Internet-exposed port 427. VMware itself has recommended that if organizations cannot patch immediately, they should block access to port 427.

While that measure can slow down an adversary, it does not eliminate risk from the flaw entirely because attackers can exploit the vulnerability in other ways as well, Zugec says. If an organization blocks port 427, for instance, an attacker could still compromise one of the virtual machines running on an ESXi host via any existing vulnerability.

They could then escape the compromised virtual machine to exploit the vulnerability in OpenSLP and gain root access to the host, he says.

Other Ways to Exploit Flaw

"Threat actors can use any existing vulnerability to compromise a virtual machine — whether it's Linux or Windows-based," Zugec notes.

A threat actor can also relatively easily buy on the Dark Web access to a previously compromised virtual machine and attempt OpenSLP remote code execution against the hosting hypervisor, he says.

"If successful, the threat actor can gain access not only to the hypervisor host, but also to all other machines running on the same server," Zugec says. "The OpenSLP exploit in this case would allow a threat actor to escalate their access and move laterally to other — potentially more valuable — machines."

Zugec says Bitdefender has so far seen no evidence of attackers exploiting the VMware ESXi vulnerability in this manner. But, given the major focus on direct exploitation via port 427, Bitdefender wanted to warn the public about other methods to exploit this vulnerability, he says. In addition to blocking access to port 427, VMware has also recommended that organizations that cannot patch CVE-2021-21974 simply disable SLP where possible.

Shades of WannaCry

Bitdefender said its analysis of the latest attacks targeting CVE-2021-21974 suggest that the threat actors behind them are opportunistic and not very sophisticated. Many of the attacks appear completely automated in nature, from initial scans for vulnerable systems to ransomware deployment.

"We can compare this to WannaCry," Zugec notes. "While these attacks can reach a wide range of machines, the impact remains limited."

But more sophisticated threat actors would use the flaw in ESXi to conduct a much larger operation, he says. Initial access brokers, for instance, could deploy a remote Web shell and disable SLP service so other threat actors cannot exploit the same flaw. They could then simply lie in wait for the best opportunity to monetize their access. Potential options could include data theft, surveillance, and cryptojacking.

To fully address the risk of a cyberattack exploiting the VMware vuln, Bitdefender — like VMware and others — recommends that organizations apply the patch for it immediately.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

Unpatched Systems Again in the Crosshairs

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable.

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

Virtualization Is Inherently a Risk

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

How to Protect VMware Systems When You Can't Patch

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS²) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

February 15, 2023, 06:52 PM EST

The exact ‘ESXiArgs’ ransomware campaign has compromised thousands of servers running VMware’s ESXi hypervisor.

If customers haven’t seen their virtual infrastructure as a likely target for ransomware attacks in the past, VMware is hoping the exact campaign that compromised thousands of ESXi servers will change their view on that.

In a statement Wednesday, VMware indicated there is no denial on its part about the fact that malicious actors are increasingly going after customers running its virtualization platforms, acknowledging that virtual infrastructure is now a “high-value target” for attackers.

[Related: VMware ESXi Ransomware Attacks: 5 Things To Know]

The exact “ESXiArgs” ransomware campaign has targeted customers that run the VMware ESXi hypervisor, and an estimate by the FBI and a federal cybersecurity agency put the number of compromised servers worldwide at 3,800 as of last week.

The attacks began in early February and have targeted organizations in countries including the U.S., Canada, France and Germany, according to cybersecurity vendor Censys.

While infections peaked on Feb. 3, the attacks have been continuing, and between Feb. 11 and 12 there were 500 additional hosts infected with the ESXiArgs ransomware, Censys said in a post Wednesday.

VMware released a statement to media Wednesday saying that “the exact ESXiArgs ransomware attacks have highlighted important truths about protecting virtual infrastructure.”

“The important truth is that virtual infrastructure is a high-value target, precisely because organizations run their most important workloads there, and that threat actors are continuously evolving their tools and tactics to work in those environments,” VMware said in a follow-up statement to CRN.

Ransomware attacks on virtualization platforms have already been on the rise for some time: Research from Mandiant, released in April 2023, pinpointed a “significant increase” in such attacks. Mandiant reported at the time that it had been observing the increase over the previous six to 12 months, and noted that it had been seeing numerous ransomware groups target VMware’s vSphere and ESXi platforms.

The scope of the ESXiArgs campaign, however, has brought a lot more attention to the threat. The attacks have exploited a two-year-old vulnerability (tracked at CVE-2021-21974) that affects older versions of VMware ESXi, researchers have said.

According to cybersecurity vendor Wiz, 12 percent of servers running the VMware ESXi hypervisor were unpatched against the vulnerability, which was first disclosed in 2021, as of earlier this month. Rapid7 research found that a total of 18,581 internet-connected ESXi servers were vulnerable to the flaw as of late January.

Robby Hill, CEO of Florence, S.C.-based MSP HillSouth, told CRN he questions why a business would ever think it made sense to put its ESXi servers on the internet. VM servers are the core of an organization’s server infrastructure, he said, and their only utility is providing the execution of the VMs.

“They should never be exposed to the public,” Hill said. “It seems like this was almost bound to happen by designing the setup at these companies so poorly.”

In its statement to CRN, VMware said that “to be resilient, organizations will need to prioritize security as an ongoing task, including keeping software up to date and hardening against the threat landscape.”

On Wednesday, the company published a blog about how its vSphere platform can be helpful to customers with such challenges.

“VMware is urging customers to harden their virtual infrastructure, and we are delivering guidance on how to update software with zero down-time and better configure their deployments to defend against malware threats that target virtual infrastructure,” the company said in its statement Wednesday. “We encourage organizations to enforce identity access management, modernize security architecture, and other hygiene practices for ransomware resilience.”

February 07, 2023, 03:24 PM EST

Thousands of servers running older versions of the VMware hypervisor are vulnerable to attacks by the ‘ESXiArgs’ ransomware, according to researchers.

Cybersecurity firm Wiz disclosed research on Tuesday showing that more than one in 10 servers running the VMware ESXi hypervisor are unpatched against a two-year-old vulnerability that is now being exploited in a widespread ransomware attack.

In a blog post, Wiz said that its data shows that 12 percent of VMware ESXi servers remain unpatched against the flaw, and are therefore still vulnerable to an attack from the “ESXiArgs” ransomware.

[Related: Patching Urged For ‘Critical’ VMware vRealize Vulnerabilities]

“Attacks utilizing this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe,” Wiz said in the post.

The targets are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, “which are accessible through the OpenSLP port 427.” The vulnerability — first disclosed in 2021 and tracked at CVE-2021-21974 — specifically affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.

The ESXiArgs ransomware campaign has struck thousands of VMware ESXi servers over the past few days, researchers have disclosed.

Data from cybersecurity firm Censys, which was initially reported by Bleeping Computer, shows that 308 servers in the U.S. and 211 servers in Canada are currently impacted by the ransomware. That’s down from 362 U.S. servers and 240 Canadian servers as of Monday evening.

The U.S. and Canada continue to rank second and fourth, respectively, in terms of the countries hardest hit by the ESXiArgs ransomware campaign.

VMware noted that there’s a correlation between the cyberattacks and servers that are either at end-of-support or “significantly out-of-date.”

The OpenSLP service was disabled in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, VMware said.

The company said Monday that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” and that it also continues to recommend that customers disable the OpenSLP service in ESXi.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these exact attacks,” the company said.

VMware advises users with VMware ESXi servers to perform updates as soon as possible to counter the exact ESXiArgs ransomware and disable the OpenSLP service. In addition, it is confirmed that the attack is not a zero-day vulnerability.

VMware states in a response that the attack does not involve a zero-day vulnerability. In the statement, VMare indicates that it involves so-called End of General Support (EOGS) and or obsolete products with vulnerabilities already addressed.

More concretely, researchers already discovered, it specifically concerns VMware ESXi versions 7.x for build ESXi70U1c-17325551, ESXi versions 6.7.x for build ESXi670-202102401-SG and ESXi versions 6.5.x for build ESXi650-202102101-SG. Especially targeted are ESXi hypervisor versions 6.x to 6.7.

Advice to upgrade and disable OpenSPL

According to the virtualization and cloud specialist, patches and so-called VMware Security Advisories (VMSAs) have been available for the vulnerabilities of these specific versions for some time. VMware, therefore, urges users to update to the latest versions of VMware ESXi and/or VMware vSphere components as soon as possible.

It also urges users to disable the OpenSPL service. VMware ESXi versions ESXi 7.0 U2c and ESXi 8.0 GA released in 2021 already have this service disabled by default.

Global ransomware attack

Yesterday it was announced that since Feb. 3, thousands of VMware ESXi servers worldwide, mainly in Europe, the U.S. and Canada, have been attacked by the new ransomware variant ESXiArgs. The ransomware gains access to servers running the outdated and unpatched software via a so-called “heap overflow” in the standard upcoming Open SLP service. Very notable in the attack that the so-called Sosemanuk algorithm, among others, was used.

Tip: Global ransomware attack on thousands of VMware ESXi servers

Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations worldwide.

Reports emerged over the weekend that VMware ESXi servers left vulnerable and unpatched against a remotely exploitable bug from 2021 were compromised and scrambled by a ransomware variant dubbed “ESXiArgs.” ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server.

France’s computer emergency response team CERT-FR reports that the cybercriminals have been targeting VMware ESXi servers since February 3, while Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.

U.S. cybersecurity officials have also confirmed they are investigating the ESXiArgs campaign. “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a CISA spokesperson told TechCrunch. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”

Italian cybersecurity officials warned that the ESXi flaw could be exploited by unauthenticated threat actors in low-complexity attacks, which don’t rely on using employee passwords or secrets, according to the Italian ANSA news agency. The ransomware campaign is already causing “significant” damage due to the number of unpatched machines, local press reported.

More than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign so far, according to a Censys search (via Bleeping Computer). France is the most affected country, followed by the U.S., Germany, Canada and the United Kingdom.

It’s not clear who is behind the ransomware campaign. French cloud computing provider OVHCloud backtracked on its initial findings suggesting a link to the Nevada ransomware variant.

A copy of the alleged ransom note, shared by threat intelligence provider DarkFeed, shows that the hackers behind the attack have adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address.

In a statement given to TechCrunch, VMware spokesperson Doreen Ruyak said the company was aware of reports that a ransomware variant dubbed ESXiArgs “appears to be leveraging the vulnerability identified as CVE-2021-21974” and said that patches for the vulnerability “were made available to customers two years ago in VMware’s security advisory of February 23, 2021.”

“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory,” the spokesperson added.

Updated with comment from CISA. 

Cybersecurity agencies in Europe are warning of ransomware attacks exploiting a two-year-old computer bug as Italy experienced widespread internet outages.

The Italian premier's office said Sunday night the attacks affecting computer systems in the country involved "ransomware already in circulation" in a product made by cloud technology provider VMware.

A Friday technical bulletin from a French cybersecurity agency said the attack campaigns target VMware ESXi hypervisors, which are used to monitor virtual machines.

Palo Alto, California-based VMware fixed the bug back in February 2021, but the attacks are targeting older, unpatched versions of the product.

The company said in a statement Sunday that its customers should take action to apply the patch if they have not already done so.

"Security hygiene is a key component of preventing ransomware attacks," it said.

The U.S. Cybersecurity and Infrastructure Security Agency said Sunday it is "working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed."

The problem attracted particular public attention in Italy on Sunday because it coincided with a nationwide internet outage affecting telecommunications operator Telecom Italia, which interfered with streaming the Spezia v. Napoli soccer match but appeared largely resolved by the time of the later Derby della Madonnina between Inter Milan and AC Milan. It was unclear whether the outages were related to the ransomware attacks.