VMware ESXi  #Ransomware: What is going on? What does the following code means?


In the last few hours, several sources have reported massive Ransomware-type activity against VMware ESXi servers exposed on a public network.
The activity currently appears to be conducted by at least 2 different criminal groups.

RansomNote ed ESXi (esxiArgs)


Both groups are exploiting a 2021 RCE vulnerability that allows malicious code (𝗥𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲) to be launched remotely (CVE-𝟮𝟬𝟮𝟭-𝟮𝟭𝟵𝟳𝟰 )

Current situation (4th of February)

There is currently massive hacking activity happening globally. Most of the compromised systems (around 500) were found to be in France.
The first server compromises emerge in Italy and Switzerland.

Italy and Switzerland

From an analysis activity, there would appear to be around 600 vulnerable servers present in Italy, 300 in Switzerland.

Other Information:

In the image an example of the security device placed by the criminal group inside a compromised server.

The first steps to take at this juncture are: applying security patches and reducing the exposure of critical services to the public internet.

To these should be added specific strategic assessments for securing critical systems such as a VMware server.

Other Info:  Fortgale

Our Services: Fortgale Cyber Defence



#cybersecurity #vmware #ESXiArgs #italia #svizzera

Related articles