Warnings of a major globe-spanning ransomware attack began circulating on social media in early February, but at first there were few details save for reports of the occasional victim. It has now been established that the campaign targeted an old (and previously patched) vulnerability in VMware servers, and that it has grown to become the largest attack of its type in history not involving Windows machines.
Though the vulnerability has been known for some time (and was patched nearly two years ago), the ransomware attack has nevertheless compromised at least 3,200 VMware servers to date. Some of the more prominent victims include the Florida Supreme Court, Houston’s Rice University and the Georgia Institute of Technology. The attackers are not believed to be a major ransomware gang, however, and the Cybersecurity and Infrastructure Security Agency (CISA) released a recovery tool to the public on February 8.
Major ransomware attack ensnares record number of victims despite lack of sophistication
Security agencies around the world, including government teams in Italy and France, began sounding warning of the massive ransomware attack and the involvement of VMWare servers on February 5. The attack has been global and very visible, scooping up unpatched VMware servers that have been neglected since the CVE-2021-21974 vulnerability was reported and patched in February 2021.
The breadth of the attack is due to the vulnerability being in VMware ESXI servers, which are used to partition hardware and manage multiple virtual machines. This can create a cascading compromise as the breach of these VMware servers provides further access to whatever virtual servers they are hosting on the hardware they manage.
The French Computer Emergency Response Team recommends immediate identification of any VMware servers that might not have been patched and a thorough scan for signs of compromise. ESXi hypervisors in versions 6.5, 6.7 and 7 are potentially vulnerable and admins can disable the Open Service Location Protocol (OpenSLP) service for an immediate stopgap defense until patches can be applied; if the VMware servers were set up in 2021 or later, this may already be disabled by default.
Teong Eng Guan, Regional Director (Southeast Asia and Korea) for Check Point Software Technologies, noted that this series of attacks is indicative of an increasing willingness of cyber threats to find ways to target Linux systems rather than the relative “low hanging fruit” of exploiting Windows vulnerabilities: “The recent massive cyber attack on ESXi servers is considered the most extensive cyber attack ever reported on non-Windows machines. What makes the situation even more worrying is the fact that until recently, ransomware attacks were limited to Windows-based machines. The ransomware threat actors have realized how crucial Linux servers are for the systems of institutions and organizations … Cybercriminals exploited CVE-2021-21974, a flaw already reported in February 2021. But what can make the impact even more devastating is the use of these servers, on which other virtual servers are usually running. Thus, the damage is probably widespread, more than we can imagine.”
Attacks on VMware servers may be the work of amateurs
The perpetrators of the ransomware attack are not yet known, but appear to be using a ransomware-as-a-service strain. However, security researchers have noted that all elements of this wave of attacks on VMware servers, from the ransomware that was deployed to the hackers conducting the break-ins, show signs of being new and unsophisticated.
Prior to the release of the CISA reconstruction tool, the attackers were not having a relatively great deal of success given the number of VMware servers they managed to breach. As of the public disclosure, only four ransom payments had been reported for a total haul of just $88,000.
The ransomware attacks also failed to encrypt the key files that store the data for virtual disks, making it relatively easy for competent admins to just rebuild the machines on their own even before CISA’s tool was made available. This is likely the reason the group harvested so few payments despite doing such widespread initial damage. The group also threatened some victims with the release of stolen data, but did not appear to follow up when payments were not made.
The ransomware attack really only gained so much traction because so many unpatched VMware servers were sitting out there waiting to be hit by an automated process. Among those were some high-profile victims, however, though none yet report any serious damage from the incident. The Florida Supreme Court is probably the biggest name on the list, and a spokesperson said that the attack hit a limited administrative system that was segregated from the court’s main network. About a dozen universities in the US were also hit, but have yet to report any serious ongoing difficulties.
CISA and the FBI continue to investigate the incident, along with law enforcement agencies from numerous other countries. France, the US, Germany, Canada and the United Kingdom were the countries most impacted by the ransomware attacks.
A number of recent studies have shown that keeping up with patching is increasingly becoming an issue for organizations. Though it’s a relatively simple job, it nevertheless requires IT resources that are often already stretched thin. Boris Cipot, Senior Security Engineer for Synopsys Software Integrity Group, notes that this incident illustrates what can happen when patching schedules fall behind and eventually certain items fall between the cracks completely: “Patching software isn’t a nice-to-have; it is a necessity, especially when we’re talking about computer systems used by companies. When a vulnerability is found, users must try to mitigate this and protect affected systems. One of the best ways to do so is to apply a patch, if one is on offer. Granted, there are instances when IT will need to apply the patch on a staging or test system first to ensure it will not interfere with normal operations. Nevertheless, this should not be used as a reason to delay patching for more than a year. If there is reason to delay the patching, then other measures should be put in place to compensate for this. Patching software, be it commercial or open source, must be a planned procedure. To make it successful, companies must take a thorough approach, starting with an inventory of the software it uses. Once this inventory is established, it is critical that the company is regularly kept up to date on any changes or news about the software. That way, if a vulnerability is identified, those responsible can take the necessary steps to protect their systems. If a patch is made available, this should be tested and applied to affected systems as soon as possible. Organisations would benefit from having a clear, step-by-step guide, outlining the actions they need to take in these situations. This guide should be tested periodically as well. Without testing the plan and improving on it, one cannot be sure that it will work in reality.”
And Morten Gammelgard (EVP, EMEA at BullWall) cautions that organizations cannot rely on a combination of sloppy attackers and a bailout by a federal agency in most of the ransomware attacks they will experience going forward: “We got lucky this time. The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMWare servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene – the next attack may work better and successfully encrypt all files and perhaps next time a rescue script will not be available.”
“Companies must patch all critical OS and application vulnerabilities in a timely manner and deploy ransomware containment to stop the encryption from happening – when the ransomware bypasses all the preventative security tools – by taking advantage of an old or new vulnerability. Had this attack been more successful many more organizations would now be facing downtime and disruption and having to restore lots of files and environments from back up at very high cost,” added Gammelgard.
