-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #38 from DIVD-NL/cms/articles/online-test-article
Automatically generated. Merged on Netlify CMS.
- Loading branch information
Showing
2 changed files
with
14 additions
and
7 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,20 @@ | ||
| --- | ||
| title: Online test article | ||
| title: "CASE: GLOBAL VMWARE ESXI RANSOMWARE ATTACKS" | ||
| date: 2023-10-21T21:24:59.311Z | ||
| tag: news | ||
| intro: This is the online intro | ||
| image: /images/articles/screenshot-2023-10-12-at-14.26.31-3-.png | ||
| tag: case | ||
| intro: "In a cooperation with DIVD, NCSC-NL and several EU govcerts, 14,986 | ||
| global vulnerable hosts were found and notified. " | ||
| image: /images/articles/1675785490-esxi-16_9-1.png | ||
| image_alt: Picture of the entrance to a mine | ||
| case: | ||
| caseid: "1" | ||
| caseid: DIVD-2023-00007 | ||
| closed: true | ||
| link: https://csirt.divd.nl/cases/DIVD-2023-00040/ | ||
| link: https://csirt.divd.nl/cases/DIVD-2023-00007/ | ||
| --- | ||
| The body of the article | ||
| On February 3rd, DIVD became aware of a global ransomware attack that targeted vulnerable VMware ESXi servers, specifically those susceptible to **CVE-2021-21974.** In response, DIVD conducted a scan of ESXi servers accessible via the internet and notified users, urging them to patch their systems to prevent potential exploitation. VMware ESXi is a type 1 hypervisor that is part of VMware’s larger vSphere suite. It provides a platform for virtualizing servers and allows for the running of multiple operating systems on a single physical server. As a bare-metal hypervisor, ESXi is directly installed on the server hardware, providing a efficient way to manage and partition hardware resources like CPU, memory, storage, and networking among multiple virtual machines (VMs). ESXi includes features such as VMotion, which enables live migration of running VMs from one physical server to another with no downtime, and High Availability, which allows for automatic VM restart on other available servers in case of hardware failure. ESXi also provides security features, including VM encryption, and secure boot. | ||
|
|
||
| CVE-2021-21974 is a vulnerability in OpenSLP as used in ESXi. OpenSLP is an open standard network protocol that enables dynamic discovery and communication with network services in LANs and WANs. The vunerability in the protocol is a heap-overflow vulnerability. A malicious actor who resides within the same network segment as ESXi and has access to TDP or UDP port 427, may be able to trigger the heap-overflow vulnerability in the OpenSLP service, which could result in remote code execution. The versions of ESXi that are vulnerable to this issue are 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG. | ||
|
|
||
| February 3rd CERT-FR communicated about ransomware attacks, related to CVE-2021-21974. The attackers used the vulnerability to launch ransomware attacks. | ||
|
|
||
| On February 4th DIVD started scanning. An initial scan revealed the presence of **14,986 vulnerable hosts globally**,with 269 of them located in the Netherlands. The researchers at DIVD notified the owners. Additionally, DIVD also informed the Dutch NCSC, as well as govcerts in Austria, Finland, France, and Italy. |