Hackers are exploiting a known vulnerability in VMware’s ESXi servers on a large scale endpoints (opens in new tab) government officials and company spokesmen have confirmed across Europe and North America.
Italy’s National Cybersecurity Agency (ACN) has warned companies using these VMware products to update their devices immediately to protect themselves from the ongoing cybercrime campaign.
ANSA (a major Italian news agency) further said that hackers targeted servers in France, Finland, the United States and Canada in addition to servers in Italy.
500 victims and counting
“Dozens” of organizations in Italy were reported to have been affected by the campaign. The agency says companies have been warned to take steps “to avoid being locked out of their systems,” suggesting the attackers were using the vulnerability in ransomware campaigns.
Across the Atlantic, US cybersecurity officials analyzed the incoming reports:
“CISA is working with our public and private sector partners to assess the impact of these reported incidents and provide assistance as needed,” Reuters (opens in new tab) quotes the US Cybersecurity and Infrastructure Security Agency.
A VMware spokesman said the hackers abused a flaw discovered in early 2021 and patched in February this year. The company also urged its customers to apply the patch immediately.
A separate report issued by The stack (opens in new tab) claims that more than 500 companies have been affected by the campaign so far and that it was in fact a ransomware attack. Businesses in France are said to be hardest hit. CERT-FR, the country’s national government’s Computer Security Incident Response Team, says the attack is semi-automated and targets servers vulnerable to CVE-2021-21974.
The bug is described as an OpenSLP HeapOverflow vulnerability, which allows attackers to remotely execute code.
So far we don’t know which ransomware group initiated the attack and which encryptor is being used, but reports say that around 20 servers are attacked every hour.
