Hypervisor maker VMware has warned that attackers are using previously disclosed vulnerabilities in its ESXi hypervisor and components to deploy ransomware.
The company believes the vulnerabilities being exploited are not zero-day flaws, meaning the attackers are exploiting previously discovered bugs in the hypervisor. In other words, the attacks exploit instances of the hypervisor that have not been updated or are no longer supported.
Also: Cloud computing dominates. But security is now the biggest challenge
"We wanted to address the recently reported 'ESXiArgs' ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves," VMware's security response center said on Monday.
"VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks."
The company notes that most reports state attacked instances have reached end of support or are significantly out-of-date products.
It's reiterating a workaround it gave in December for customers to disable the SLP Service on VMware ESXi after OpenSLP vulnerabilities affecting ESXi were disclosed.
France's computer emergency response team (CERT) last week warned that it became aware of attack campaigns targeting ESXi hypervisors to deploy ransomware on February 3. The SLP service appeared to have been targeted and allows a remote attacker to run code of their choice on the vulnerable server. It also notes that exploit code has been publicly available since at least May 2021.
CERT France strongly recommends admins isolate an affected server, reinstall the hypervisor, apply all patches, disable unnecessary services like SLP, and block access to admin services through a firewall.
Specifically, it recommends the following courses of action:
BleepingComputer reports that attackers behind ESXiArgs ransomware use it to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra files on compromised ESXi servers.