back to article Ransomware scum launch wave of attacks on critical, but old, VMWare ESXi vuln

France's Computer Emergency Response Team has issued a Bulletin D'Alerte regarding a campaign to infect VMware’s ESXI hypervisor with ransomware. We get a little language lesson with this one: France's CERT describes this as an attempt to "déployer un rançongiciel," while Italy's Agenzia per la Cybersicurezza Nazionale – which …

  1. Anonymous Coward
    Anonymous Coward

    Why there may be unpatched versions around: money

    I didn't know this until I was called in to try and help a customer who actually had this infection.

    The virus entered via email on a Windows system (as far as I could trace), which still seems to be the most common entry vector of any infection I've come across. It eventually found the VMWare ESXi Linux box which was left unpatched and proceeded to encrypt its contents, so eventually nuking all the VMs it was running and presto - death.

    On querying why this box was running an old version of ESXi I was told it was a cost cutting measure by a since then sacked director. It turns out there are apparently two types of licenses for VMWare, with the more expensive one allowing you to update without taking the system down. As they weren't prepared to spring for the more expensive one, the much needed update conflicted with the need to keep making money, and naturally the bonus-generating option won. Repeatedly. Until they got breached so hard there was literally nothing running anymore.

    I'm sure the aformentioned idiot will only mention his cost savings in his new job, not the consequences..

    1. Pascal Monett Silver badge

      Re: The virus entered via email on a Windows system

      You can say it : Outlook.

      We know.

    2. Jamtea

      Re: Why there may be unpatched versions around: money

      This will be the perfect reason I shall present to the MD as to why we need to get rid of all the virtualisation hosts that are forcing us to stay on 6.7 instead of upgrading to 8.0. Even not exposed to the internet it's far too risky to bet the farm on saving a few grand that we'll need to spend anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why there may be unpatched versions around: money

        Yup. With all the happy petri dishes in your company (machines running any kind of Windows software) the whole idea of "hard shell, soft centre" protection just no longer cuts it. Nowadays your petri dishes import the trouble from outside to become the insider threat. Not fun.

  2. JackBoot

    Attack Surface

    Are people really going to leave something as ancient as v6.5 with ports exposed on the Internet?! I'd just assume all old kit is vulnerable, VPN access only.

    1. Pascal Monett Silver badge

      Re: Attack Surface

      Yes, we all naturally assume that competent people are in charge.

      Until we find out that the beancounters had their say.

      Well, I'm sure the beancounters are going to have a chance to revise their opinion (not that I'm saying they'll change it, it's too early for April Fool's day).

    2. aaaa

      Re: Attack Surface

      From the VMware advisory:

      "A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."

      So not anything to do with ports exposed to the "Internet".

      For us, the COVID-19 rules caused a lot of disruption to data centre access and we've not been able to upgrade/patch a whole raft of systems. Remember ESXi is used by a lot of smaller companies who don't have enough servers to warrant a lot of automation and remote patching capabilities. One data centre I haven't been able to get people on site to since March 2020. Sure I could use 'remote hands' with the data centre staff, but for this security advisory and many others we just simply blocked the problem port on the firewall and disabled the service.

      1. Anonymous Coward
        Anonymous Coward

        Re: Attack Surface

        You know you can patch ESXi via vSphere Update Manager remotely, right?

        1. Anonymous Coward
          Anonymous Coward

          Re: Attack Surface

          And if you only have a license for 4 cpus, you can upgrade esxi one at a time. Yes, you'll have to shut down all of the VMs, but that's infinitely better than rebuilding from scratch, and then restoring from backup. You have a backup, right?

      2. Nate Amsden

        Re: Attack Surface

        If it is the SLP issue then you don't even need to patch, just turn SLP off. I turned mine off in late Oct 2020. The guide is here

        As far as I could tell SLP was never used on my systems, the only connection attempt logged lined up with the date/time of the boot-up of the server.

        Zero impact, and zero impact since.

        Of course running esxi exposed on the internet is a bad thing in any case.

    3. Anonymous Coward
      Anonymous Coward

      Re: Attack Surface

      As a little exercise that I find fun when I'm bored every few months, download a copy of nmap and scan the networks segments just outside your home router, you'll turn up some interesting ports open and interesting devices attached.

      Some people just don't get it, sticking devices directly on routers is like sticking a mains cable in your mouth and simply waiting until someone plugs the other end into a wall socket...

  3. ChoHag Silver badge
    Thumb Down


    Look! Foreign words! They've got floaty things above them!

    And listen to the accents!


    ... I thought we'd grown beyond casual racism?

    1. Plest Silver badge

      Re: Haha!

      And I thought woke mindset and mock outrgae had started it's long awaited downward trend, obviously not.

    2. doublelayer Silver badge

      Re: Haha!

      I'm having trouble understanding what you want the alternative to be. Would refusing to include any non-English words in an English article be better under your conception? Couldn't that be interpreted as negative as well? Maybe this confusion is due to my missing the mockery you imply is present; all I see is a note demonstrating that French language authorities made a local word for ransomware, as they do with many English-rooted technical terms, and Italian either didn't make one or didn't use it.

  4. cantankerous swineherd

    given the news that palantir is all over NHS data, the sooner the ransomware scum bring the entire internet down, the better.

    mine's the one with cash in the pockets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like