What Expert Says On VMWare ESXi Vulnerability To Encrypt Virtual Hard Disks

A criminal group that deployed the RansomExx ransomware is actively exploting the vulnerabilities in VMWare ESXi to encrypt the victim’s virtual hard drive. A senior security engineer commented below on these vulnerabilities.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Stephen Kapp
Stephen Kapp , CTO and Founder
InfoSec Expert
February 3, 2021 4:31 pm

<p>The targeting of enterprise infrastructure by ransomware is a good example of why it is important to carry out updates and patching for all elements within the enterprise. A significant level of effort is put into updating and patching your normal Desktop and Server operating systems, but the underlying systems for virtualisation that support these are often overlooked.</p>

Last edited 1 year ago by Stephen Kapp
Natalie Page
Natalie Page , Cyber Threat Intelligence Analyst
InfoSec Expert
February 3, 2021 4:29 pm

<p>Due to its global prevalence, VMWare is a lucrative platform for attackers to target. Luckily the recommendations in this instance are pretty straight forward, users of VMWare ESXi should prioritise implementing patches for both CVE-2019-5544 and CVE-2020-3992, or disable SLP support to prevent attacks if the protocol isn\’t needed.</p>

Last edited 1 year ago by Natalie Page
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
February 3, 2021 4:21 pm

<p>If an attacker is in the network and able to access the port 427, they are likely to have already exploited the vulnerability, as the RansomExx group has shown. Organisations should not assume that this is just a ‘possibility’. The vulnerabilities CVE-2019-5544 and CVE-2020-3992 are present in the OpenSLP (Service Location Protocol) component and can be misused by the attacker to conduct a remote code execution.  </p> <p> </p> <p>These vulnerabilities are critical and should not be taken lightly. Organisations using software that has been identified as being vulnerable, should patch the vulnerabilities with available patches immediately.</p>

Last edited 1 year ago by Boris Cipot
Would love your thoughts, please comment.x