Advisory February 8, 2023

Ransomware campaign targeting non-updated VMware ESXi servers (CVE-2021-21974)

The Obrela SOC Team

Despite the fact that the CVE isn’t newly discovered, there is an ongoing trend globally concerning ongoing malicious activities against VMware ESXi servers. Successful exploitation of the vulnerability allows for remote code execution that activates heap overflow for the OpenSLP service.

You are kindly requested to perform the most recent updates/apply latest patches for your ESXi infrastructure and scan your systems for traces of malicious activity related to the IoCs below:

  • 104.152.52.55
  • 193.163.125.138
  • 43.130.10.173
  • 104.152.52.0/24

It is also advised to deactivate the OpenSLP service on the servers or to restrict access to only trusted IP addresses.

OBRELA remains vigilant and takes action if such IoCs are encountered.

References