massive Ransomware attacks on old unpatched ESXi

[_Gea]

Affected

• ESXi-Version 7.x prior ESXi70U1c-17325551
• ESXi-Version 6.7.x prior ESXi670-202102401-SG
• ESXi-Version 6.5.x prior ESXi650-202102101-SG

https://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/

 

[Meeho]

1. Laughs in backup/ZFS snapshot
2. Why are the hosts reachable from the Internet?

 

[ND40oz]

Affected

• ESXi-Version 7.x prior ESXi70U1c-17325551
• ESXi-Version 6.7.x prior ESXi670-202102401-SG - ESXi 6.7 EP 18 - build 17499825
• ESXi-Version 6.5.x prior ESXi650-202102101-SG - ESXi 6.5 P06 - build 17477841

https://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/

Build numbers for the older versions

2. Why are the hosts reachable from the Internet?

Even if they're aren't, if they're reachable internally by any of your users, it just takes one compromised user because they don't actually need rights.

 

[Mchart]

Build numbers for the older versions



Even if they're aren't, if they're reachable internally by any of your users, it just takes one compromised user because they don't actually need rights.

You sort of deserve it if you're letting normal workstations / services of any sort sit on the same VLAN as your management for ESXI hosts.

 

[vegeta535]

I think my company might of been hit with this almost 2 weeks ago.

 

[ND40oz]

You sort of deserve it if you're letting normal workstations / services of any sort sit on the same VLAN as your management for ESXI hosts.

Management VLAN needs to routed so it can talk to vCenter. If vCenter is on the same VLAN, it needs to be routed for vCenter access.

 

[blackmomba]

If anything in this life is certain, if history has taught us anything, it's that you can hack anyone.

- Michael Corleone