February 8, 2023

Cybercriminals are using a two-year-old vulnerability in VMware’s Cloud software to launch a large-scale ransomware attack against VMware ESXi servers, according to France’s computer emergency response team (CERT-FR).

The threat actors appear to be exploiting CVE-2021-21974, a heap overflow vulnerability with a severity rating of “important” that VMware publicly disclosed and patched in February 2021.

The cybercriminals have been trying to target VMware ESXi servers since February 3, according to CERT-FR, while Italy’s national cybersecurity agency ACN warned on Sunday of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.

U.S.cybersecurity officials have also confirmed that the ESXiArgs campaign is being investigated. “CISA is collaborating with our public and private sector partners to assess the impact of these reported incidents and provide assistance where necessary,” a CISA spokesperson said. “Any organization experiencing a cybersecurity incident should notify CISA or the FBI immediately.”

The president and founder of French cloud provider Scaleway, Arnaud de Bermingham, tweeted that a fast-moving ransomware was infecting servers running VMware ESXi versions 6.x and urged users to upgrade immediately.

The ransomware attacks appear to be targeting “end-of-general-support or significantly out-of-date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories,” according to a VMware spokesperson.

The sources for this piece include an article in Axios.