Ransomware hackers infect vulnerable VMware installations

According to a recent report, at least one major group of ransomware operators is exploiting a set of vulnerabilities in VMware ESXi to compromise virtual machines installed in enterprise environments in order to inject malware and encrypt affected systems. The cybersecurity community believes that these attacks are linked to the operators of the RansomExx malware variant (also known as Defray777) and that they have been active since last October.

These attacks involve the exploitation of CVE-2019-5544 and CVE-2020-3992, two flaws in the aforementioned hypervisor solution that allows different virtual machines to share the same hard disk storage. The two flaws reside in The Service Location Protocol (SLP), used by devices on the same network to detect each other.

The report mentions that successful exploitation of these failures would allow remote threat actors on the same network to send malicious SLP requests to an ESXi device in order to take control of this solution even if the attackers have not compromised the VMware vCentral server, on which ESXi deployments typically depend.

Based on analysis of reported incidents, the researchers concluded that this hacking group seeks to gain access to a device connected to a corporate network, exploiting this entry point to deploy the ransomware to on-premises ESXi instances and compromise virtual hard drives, causing chaos in compromised organizations that are unable to access their virtual machines.

Multiple system administrators have reported these incidents on platforms such as Reddit or Twitter, even organizing virtual conferences to alert the community to this risk.

Although all reported attacks so far have been linked to the RansomExx group, a few weeks ago the operators of the Babuk Locker ransomware claimed to be employing a similar feature, although no successful attacks have been reported by this group.

Cybersecurity specialists also report detecting the sale of access to ESXi instances compromised in various illegal hacking forums. Because ransomware operators often work with initial access agents for their initial entry points within organizations, this could also explain why ESXi was linked to some ransomware attacks last year.

Specialists recommend that enterprise system administrators who rely on ESXi VMWare to manage the storage space used by their virtual machines that apply the required ESXi updates. Disabling SLP support to prevent attacks is also recommended.