Ransomware scum launch wave of attacks on critical, but old, VMWare ESXi vuln France's Computer Emergency Response Team has issued a Bulletin D'Alerte regarding a campaign to infect VMware’s ESXI hypervisor with ransomware. We get a little language lesson with this one: France's CERT describes this as an attempt to "déployer un rançongiciel," while Italy's Agenzia per la Cybersicurezza Nazionale – which …
I didn't know this until I was called in to try and help a customer who actually had this infection.
The virus entered via email on a Windows system (as far as I could trace), which still seems to be the most common entry vector of any infection I've come across. It eventually found the VMWare ESXi Linux box which was left unpatched and proceeded to encrypt its contents, so eventually nuking all the VMs it was running and presto - death.
On querying why this box was running an old version of ESXi I was told it was a cost cutting measure by a since then sacked director. It turns out there are apparently two types of licenses for VMWare, with the more expensive one allowing you to update without taking the system down. As they weren't prepared to spring for the more expensive one, the much needed update conflicted with the need to keep making money, and naturally the bonus-generating option won. Repeatedly. Until they got breached so hard there was literally nothing running anymore.
I'm sure the aformentioned idiot will only mention his cost savings in his new job, not the consequences..
This will be the perfect reason I shall present to the MD as to why we need to get rid of all the virtualisation hosts that are forcing us to stay on 6.7 instead of upgrading to 8.0. Even not exposed to the internet it's far too risky to bet the farm on saving a few grand that we'll need to spend anyway.
Yup. With all the happy petri dishes in your company (machines running any kind of Windows software) the whole idea of "hard shell, soft centre" protection just no longer cuts it. Nowadays your petri dishes import the trouble from outside to become the insider threat. Not fun.
Yes, we all naturally assume that competent people are in charge.
Until we find out that the beancounters had their say.
Well, I'm sure the beancounters are going to have a chance to revise their opinion (not that I'm saying they'll change it, it's too early for April Fool's day).
From the VMware advisory:
"A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."
So not anything to do with ports exposed to the "Internet".
For us, the COVID-19 rules caused a lot of disruption to data centre access and we've not been able to upgrade/patch a whole raft of systems. Remember ESXi is used by a lot of smaller companies who don't have enough servers to warrant a lot of automation and remote patching capabilities. One data centre I haven't been able to get people on site to since March 2020. Sure I could use 'remote hands' with the data centre staff, but for this security advisory and many others we just simply blocked the problem port on the firewall and disabled the service.
If it is the SLP issue then you don't even need to patch, just turn SLP off. I turned mine off in late Oct 2020. The guide is here https://kb.vmware.com/s/article/76372
As far as I could tell SLP was never used on my systems, the only connection attempt logged lined up with the date/time of the boot-up of the server.
Zero impact, and zero impact since.
Of course running esxi exposed on the internet is a bad thing in any case.
As a little exercise that I find fun when I'm bored every few months, download a copy of nmap and scan the networks segments just outside your home router, you'll turn up some interesting ports open and interesting devices attached.
Some people just don't get it, sticking devices directly on routers is like sticking a mains cable in your mouth and simply waiting until someone plugs the other end into a wall socket...
I'm having trouble understanding what you want the alternative to be. Would refusing to include any non-English words in an English article be better under your conception? Couldn't that be interpreted as negative as well? Maybe this confusion is due to my missing the mockery you imply is present; all I see is a note demonstrating that French language authorities made a local word for ransomware, as they do with many English-rooted technical terms, and Italian either didn't make one or didn't use it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
