State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Ransomware Groups Exploit VMware ESXi Vulnerabilities

NJCCIC Alert

Original Release Date: 2/4/2021

Summary

Ransomware groups are exploiting two critical vulnerabilities, CVE-2019-5544 and CVE-2020-3992 , in VMware ESXi in order to encrypt virtual hard disks. ESXi is a hypervisor that is installed directly on a physical server that consolidates virtual machines in order to share the same hard drive storage, among other features. Researchers spotted the ransomware group RansomExx – also known as Defray777 – exploiting these vulnerabilities in October 2020. Additionally, researchers are aware of the Babuk Locker ransomware operators’ intent to incorporate this exploitation method into future attacks. Threat actors have also been observed selling access to ESXi instances via dark web forums, increasing the likelihood of its use in future attacks.

Recommendations

The NJCCIC urges users of vulnerable VMware ESXi to apply patches after appropriate testing. Additionally, consider disabling Service Location Protocol (SLP) port 427 if possible, as this is a known attack vector. Further reporting can be found in the ZDNet article.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.