February 07, 2023, 03:24 PM EST

Thousands of servers running older versions of the VMware hypervisor are vulnerable to attacks by the ‘ESXiArgs’ ransomware, according to researchers.

Cybersecurity firm Wiz disclosed research on Tuesday showing that more than one in 10 servers running the VMware ESXi hypervisor are unpatched against a two-year-old vulnerability that is now being exploited in a widespread ransomware attack.

In a blog post, Wiz said that its data shows that 12 percent of VMware ESXi servers remain unpatched against the flaw, and are therefore still vulnerable to an attack from the “ESXiArgs” ransomware.

[Related: Patching Urged For ‘Critical’ VMware vRealize Vulnerabilities]

“Attacks utilizing this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe,” Wiz said in the post.

The targets are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, “which are accessible through the OpenSLP port 427.” The vulnerability — first disclosed in 2021 and tracked at CVE-2021-21974 — specifically affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.

The ESXiArgs ransomware campaign has struck thousands of VMware ESXi servers over the past few days, researchers have disclosed.

Data from cybersecurity firm Censys, which was initially reported by Bleeping Computer, shows that 308 servers in the U.S. and 211 servers in Canada are currently impacted by the ransomware. That’s down from 362 U.S. servers and 240 Canadian servers as of Monday evening.

The U.S. and Canada continue to rank second and fourth, respectively, in terms of the countries hardest hit by the ESXiArgs ransomware campaign.

VMware noted that there’s a correlation between the cyberattacks and servers that are either at end-of-support or “significantly out-of-date.”

The OpenSLP service was disabled in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, VMware said.

The company said Monday that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” and that it also continues to recommend that customers disable the OpenSLP service in ESXi.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these accurate attacks,” the company said.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

Unpatched Systems Again in the Crosshairs

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable.

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

Virtualization Is Inherently a Risk

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

How to Protect VMware Systems When You Can't Patch

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS²) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

Dateline Moscow and Kyiv: Rectification of names.

Ukraine at D+348: Preparing for the first anniversary of the invasion. (CyberWire) Russia moves conscripts to assembly areas, and a dark web souk appears on Moscow's electronic billboards.

Russia-Ukraine war live: Moscow repeats warning that Nato countries supplying Kyiv with arms risks ‘unpredictable escalation’ (the Guardian) Russian defence minister accuses Nato of trying to ‘prolong the conflict’

Ukraine Warns Russia Is Planning Major Offensive (Wall Street Journal) Kyiv says Russia is amassing troops and Studying for a new push along the eastern front. This comes amid a signal that Ukraine may reshuffle in its military leadership following a corruption scandal.

Russia-Ukraine war: Wagner founder challenges Zelensky to a dogfight for control of Bakhmut (The Telegraph) The founder of Russia’s notorious Wagner mercenary group challenged Volodymyr Zelensky to a dogfight on Monday for the control of Bakhmut, as Ukraine braced for a renewed Russian offensive.

Ukraine releases video appearing to show Russian troops beating own wounded officer (the Guardian) Footage thought to show Wagner group fighters beating commander with what appear to be shovelsWarning: video contains footage that some viewers may find distressing

Austria’s About to supply Russia a Soapbox at the OSCE (Foreign Policy) Vienna will allow sanctioned Russian parliamentarians to attend the next big security meeting on the anniversary of Russia’s invasion of Ukraine.

Perspectives on Ukraine and the Russian Invasion (Global ECCO) Dr. Douglas Borer, Department of Defense Analysis at the US Naval Postgraduate School, asked Dr. Myerson some questions about the causes of the Russian war against Ukraine, the role of allies in Ukraine’s defense, and his perspective on how the war might end.

How Russia Decides to Go Nuclear (Foreign Affairs) Deciphering the way Moscow handles its ultimate weapon.

U.S. Leadership on Ukraine Is Increasing European Dependence (World Politics Review) Unwillingly and unintentionally, US leadership on Ukraine war policy is increasing Europe’s dependence. That could be a problem.

American conservatives are right behind Ukraine – but they want a better strategy than Biden’s (The Telegraph) The White House has been reactive, often only moving after significant Congressional and international pressure

Japan’s Long-Awaited Return to Geopolitics (Foreign Policy) Tokyo’s abandonment of its post-1945 security stance is another fallout from Russia’s war.

Analysis: Swiss neutrality on the line as arms-for-Ukraine debate heats up (Reuters) Switzerland is close to breaking with centuries of tradition as a neutral state, as a pro-Ukraine shift in the public and political mood puts pressure on the government to end a ban on exports of Swiss weapons to war zones.

The Deeper Reason Netanyahu Won’t Arm Ukraine Against Russia (Foreign Policy) Jerusalem’s ties to Moscow are partly about security. They’re also about illiberalism.

The Ukraine war is fuelling and obscuring cyberattacks (The National) The fighting is dominating the attention that might otherwise be given over to understanding the links between online threats and modern warfare

Darknet drug market BlackSprut openly advertises on billboards in Moscow (The Record from Recorded Future News) It's unclear why BlackSprut was able to buy the Moscow billboard space, but Russia is known for some permissiveness toward darknet groups.

Inside Safe City, Moscow’s AI Surveillance Dystopia (WIRED) Moscow promised residents lower crime rates through an expansive smart city project. Then Vladimir Putin invaded Ukraine.

Russia ends disclosure rules for officials, citing wartime secrecy needs (Washington Post) In the latest indication of expanded state secrecy in wartime Russia, President Vladimir Putin on Monday signed legislation that will exempt Russian lawmakers from a previous requirement that they disclose details of their income, expenses and property.

Russian Deficit Soars to $25 Billion on War Spending, Oil Embargo (Wall Street Journal) The government’s budget recorded its deepest deficit to start the year in more than a decade.

Attacks, Threats, and Vulnerabilities

Foreign states already using ChatGPT maliciously, UK IT leaders believe (CSO Online) Most UK IT leaders are concerned about malicious use of ChatGPT as research shows how its capabilities can significantly enhance phishing and BEC scams.

Ransomware Hits Unpatched VMware Systems: 'Send Money Within 3 Days' (Virtualization Review) Users who neglected to install security patches issued by VMware two years ago are now being hit by a big ransomware attack wave.

Massive ransomware attack targets VMware ESXi servers worldwide (CSO Online) Cybersecurity agencies globally — including in Italy, France, the US and Singapore — have issued alerts about a ransomware attack targeting the VMware ESXi hypervisor.

CISA steps up to help VMware ESXi ransomware victims (SC Media) CISA says any organization experiencing a cybersecurity incident tied to VMware ransomware campaigns should immediately report it to CISA or the FBI.

‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims (The Record from Recorded Future News) Thousands of servers running an unpatched version of VMware's ESXi product are vulnerable to ESXiArgs ransomware, researchers say.

GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry (The Hacker News) South Korean and American e-commerce industries have been targeted by a GuLoader malware campaign.

Polygraph: Click Fraud Scammers Are Targeting Pay-Per-Click Affiliate Schemes (GlobeNewswire News Room) Pay-per-click affiliate schemes are vulnerable to sophisticated click fraud techniques....

Hackers hit Vesuvius, UK engineering company shuts down affected systems (Graham Cluley) Vesuvius, the London Stock Exchange-listed molten metal flow engineering company, says it has shut down some of its IT systems after being hit by a cyber attack.

British steel industry provider Vesuvius ‘currently managing cyber incident’ (The Record from Recorded Future News) Vesuvius Plc confirmed that the incident “involved unauthorized access to our systems,” but it did not provide further details.

Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) (Rapid7) Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. While all of the discovered issues are instances of CWE-79: Improper Neutralization of Input During Web Page Generation, in this disclosure, we have ordered them from most severe to least.

CyRC special report: Secure apps? Don’t bet on it (Application Security Blog) The Cybersecurity Research Center conducted a security analysis of the 10 most popular Android sports and betting apps.

Highmark Health Suffers Phishing Attack, 300K Individuals Impacted (Health IT Security) Highmark Health notified 300,000 individuals of a phishing attack that potentially compromised protected health information.

Cybersecurity Incident Under Investigation in Berkeley County Schools - 19,000 Students Have Day Off (WV MetroNews) More than 19,000 students got the day out of school in Berkeley County on Monday (February 06), but it was a workday for staff.  This after a cybersecurity incident in the district Friday. Berkeley County Schools sent out a message saying they are  investigating the “cause and scope.”

West Virginia students returning to class after days-long outage following cyberattack (The Record from Recorded Future News) Nearly 20,000 students in West Virginia were forced to miss classes on Monday due to a cyberattack that crippled their school.

MTU close Cork campuses after a 'significant' IT breach (Cork Beo) All full-time and part-time classes have been cancelled

Trends

Cybercrime Shows No Signs of Slowing Down (Dark Reading) Look for accurate trends in attacks, strategies, and vulnerabilities to continue gaining steam throughout 2023.

Cyber Apocalypse 2023: Is The World Heading For A ‘Catastrophic’ Event? (Forbes) According to the 2023 Global Cybersecurity Outlook from the World Economic Forum, the world is facing more and potentially catastrophic cyber-attacks. Here, we explore what that means.

Blog | Permiso 2022 - End of Year Observations () The Permiso p0 labs team provides an overview of what they have observed from the front lines of cloud attacks over 2022, and where they expect cloud attacks to head next!

DataDome’s Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the US as the Top Source of Bot Attacks (DataDome) Study finds US generated 10 times the number of bot attacks compared to China, the second highest source during the 2022 holiday season.

State of the Cloud 2023 (Wiz) The Wiz Threat Research team looks back on the past year to highlight trends and the state of cloud usage based on visibility across our customer base.

Marketplace

IronNet Signs Contract to Enhance Cybersecurity of U.S. Navy’s Naval Sea Systems Command (NAVSEA) Following Successful Pilot Program (Business Wire) Agreement addresses cyber threats against the Defense Industrial Base (DIB) by using the IronNet Collective Defense℠ Platform to Strengthen threat visibility and anonymized intelligence sharing

Bitwarden Boosts FIDO Alliance Membership (Business Wire) Bitwarden, the leading open source password manager trusted by millions, today announced that it has expanded its partnership in the FIDO Alliance, an

Netsurion CRO John Addeo Honored on 2023 CRN Channel Chiefs List (GlobeNewswire News Room) Netsurion, a leading provider of managed XDR, today announced that CRN®, a brand of The Channel...

Sumo Logic SVP of Global Partners and Alliances Named as a 2023 CRN Channel Chief (GlobeNewswire News Room) Sumo Logic (NASDAQ: SUMO), the SaaS analytics platform to enable reliable and secure cloud-native...

Aqua Security’s Jeannette Lee Heung Named a 2023 CRN Channel Chief (GlobeNewswire News Room) Lee Heung was behind the Aqua Advantage partner program launch driving a surge in channel revenue...

Axis Channel Leader Nicholas Mirizzi Receives 2023 CRN Channel Chief Honor (PR Newswire) Axis, the leading innovator in Security Service Edge, today announced that CRN®, a brand of The Channel Company, has recognized Nicholas...

Jamie Hawkins of DH2i Honored as a 2023 CRN Channel Chief (DH2I) Recognized for Dedication, Innovative Strategies, and Programs That Have Driven Partner Success

Brillio Appoints Navneet Narula to Lead Global Banking and Financial Services Unit (CXOToday.com) Industry veteran tapped to turbocharge company’s burgeoning BFSI vertical    Brillio, a leading digital transformation services and solutions provider

Moti Gindi, Former CVP of Security Products at Microsoft, Joins Apiiro as Chief Product Officer (GlobeNewswire News Room) Moti, who built Microsoft Defender into a multi-billion dollar business, joins Apiiro to scale the growing business...

Folio Photonics Expands Engineering Leadership Team with the Appointment of Greg Kittilson as Vice President of Engineering (Business Wire) Announces Great Leap Forward with Newly Patented Systems and Methods for Increasing Data Rate and Storage Density in Multi-Layer Optical Discs

Products, Services, and Solutions

Cognni Launches AI-Powered Automated Infosec Risk Assessment Product (GlobeNewswire News Room) The new risk-assessment tool can scan all the data held by an organization in minutes and provide a detailed report on risks and the mitigation measures...

Cequence Security Enhances API Security Testing Capabilities (Business Wire) Cequence Security, the leading provider of Unified API Protection, today announced it has enhanced the testing capabilities within its Unified API Pro

Keyfactor Global Channel Program Hits New Milestones as Businesses Prioritize Machine Identity Management (Business Wire) Keyfactor appoints Michael de Paris as VP of EMEA Channels; SVP of Global Channel Joe Tong named to 2023 CRN Channel Chief List.

Cadien Cyber Response Launches to Deliver Incident Response & Complex Digital Forensics Services (Dark Reading) Cadien Cyber Response, a US-based incident response and complex digital forensics firm, formally launched operations today and unveiled its team of leading industry and government cyber experts focused on reactive services.

Baffle Makes Multi-Tenant Data Security for SaaS Providers Even Easier (GlobeNewswire News Room) Record-level Encryption Isolates Customer Data; BYOK Gives Customers Complete Control

How Parallel Loop Empowers Torq Users to Rapidly Automate Bulk Data Processing Up to 10x (Torq) Torq is proud to introduce Parallel Loop, a new capability that enables users to process bulk data from myriad security tools with unprecedented ease. It also provides the power of orchestration like no other automation tool in the security automation industry with true parallelism. That means multiple tasks can be run simultaneously, and optionally, on […]

Snyk Achieves FedRAMP “In Process” Milestone (GlobeNewswire News Room) With Expected FedRAMP Authorization, Snyk to Address Crucial Need for Developer Security in Public Sector

Coalfire Compliance Essentials Optimized for Automated Evidence Collection (PR Newswire) Global cybersecurity pioneer Coalfire announced today major innovations to its Compliance Essentials solution, including advanced automated...

Deepwatch Advances SecOps Platform to Detect and Contain Identity Threats (Business Wire) Introduces Managed Extended Detection and Response (MXDR) for Rapid Containment of Identity Compromise

Technologies, Techniques, and Standards

Agencies Seek Public Input on Updates to Guiding Plan for Cyber R&D (Nextgov.com) The document is updated once every four years.

How Artificial Intelligence is Changing the Spy Game (SpyCast) Mike Susong (Website, LinkedIn) joins Andrew (Twitter; LinkedIn) to discuss the impact and potential of AI on the intelligence field. Mike is a former CIA case officer who now oversees global intelligence for a risk management company.

Why Crowdsourced Security is Devastating to Threat Actors (Security Intelligence) See how crowdsourcing security is an effective tool against phishing and other cyber threats.

How to deal with sneaky spear phishing- and more - on Safer Internet Day (WatchGuard Technologies) In support of a safer Internet for all here are some insights on today’s most prevalent threats and what you can do to stay cyber secure. Follow our tips and protect yourself and your business.

Design and Innovation

Microsoft announces surprise event for tomorrow with Bing ChatGPT expected (The Verge) Microsoft won’t be streaming this event, though.

The Race to Build a ChatGPT-Powered Search Engine (WIRED) A search bot you converse with could make finding answers easier—if it doesn’t tell fibs. Microsoft, Google, Baidu, and others are working on it.

Google has unveiled its ChatGPT rival and is promising its will offer AI-powered search 'soon' (Silicon Valley Business Journal) Google is following through on CEO Sundar Pichai's promise last week to open up it AI tools to the public.

Google launches ChatGPT rival called Bard (BBC) Google is launching an Artificial Intelligence (AI) powered chatbot called Bard to rival ChatGPT.

Google Releases ChatGPT Rival AI ‘Bard’ to Early Testers (Bloomberg) Microsoft expected to announce ChatGPT integration into Bing search engine

Academia

The SANS Institute Reopens HBCU Cyber Academy Application Window to Address Growing Need for Cybersecurity Professionals (PR Newswire) The SANS Institute is proud to announce the reopening of the HBCU Cyber Academy application window from February 1, 2023 to March 1, 2023. The...

Legislation, Policy, and Regulation

Chinese hacking probably outweighs balloon, experts say (Washington Post) Don’t forget about Chinese hackers

Quad Joint Statement on Cooperation to Promote Responsible Cyber Habits (The White House) We the Quad partners of Australia, India, Japan, and the United States are launching a public campaign to Strengthen cyber security across our nations: the

Wikipedia unblocked in Pakistan after Prime Minister's intervention (TechCrunch) Pakistan has unblocked Wikipedia in the South Asian market, three days after the online encyclopedia was censored in the nation.

What CISOs need to know about the renewal of FISA Section 702 (CSO Online) Section 702 of the Foreign Intelligence Surveillance Act sets out the rules for the US intelligence community around gathering information abroad—but is it inadvertently being used at home too?

Let Section 230 Stay (The Information) Gonzalez v. Google, which the Supreme Court will hear this month, is the culmination of years of litigation. The action—a consolidation of lawsuits filed against Google, Twitter and Facebook—attempts to hold these platforms liable for their automated recommendation of content to users. Social ...

Biden taps experts in threat intel, networking and satellite cybersecurity for telecom advisory board (SC Media) The Biden administration appointed new leaders for the National Security Telecommunications Advisory Council, while adding a number of other notable tech and cybersecurity executives.

Litigation, Investigation, and Law Enforcement

China’s tech weapons roll in to quell demonstrations, identify protesters (The Record from Recorded Future News) At a time when an errant spy balloon has raised new questions about President Xi Jinping’s absolute control over all things Chinese, we take a look at how his regime quelled last year’s Covid protests and how an arsenal of digital weapons helped tighten his grip on power.

U.S. senators question Meta over Chinese, Russian access to Facebook data -statement (Reuters) A bipartisan pair of U.S. senators said on Monday they had sent a letter to Meta CEO Mark Zuckerberg questioning the company about documents that they say reveal that Facebook developers in China and Russia had access to user data.

Police hacked Exclu 'secure' message platform to snoop on criminals (BleepingComputer) The Dutch police announced on Friday that they dismantled the Exclu encrypted communications platform after hacking into the service to monitor the activities of criminal organizations.

Finnish psychotherapy extortion suspect arrested in France (Naked Security) Company transcribed ultra-personal conversations, didn’t secure them. Criminal stole them, then extorted thousands of vulnerable patients.

How Sam Bankman-Fried’s Psychiatrist Became a Key Player at Crypto Exchange FTX (Wall Street Journal) Hired as a coach at the crypto exchange, George Lerner was there for its dramatic downfall.

Politie leest opnieuw mee met criminelen (Politie) De politie en het Openbaar Ministerie in Nederland zijn er opnieuw in geslaagd toegang te krijgen tot data van een cryptocommunicatiedienst van criminelen en de afgelopen vijf maanden hun…

Eurocops shut down Exclu encrypted messaging app (Register) German and Dutch authorities say the app was a favorite of organized criminals and drug smugglers

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may Strengthen our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may Strengthen our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may Strengthen our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations worldwide.

Reports emerged over the weekend that VMware ESXi servers left vulnerable and unpatched against a remotely exploitable bug from 2021 were compromised and scrambled by a ransomware variant dubbed “ESXiArgs.” ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server.

France’s computer emergency response team CERT-FR reports that the cybercriminals have been targeting VMware ESXi servers since February 3, while Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.

U.S. cybersecurity officials have also confirmed they are investigating the ESXiArgs campaign. “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a CISA spokesperson told TechCrunch. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”

Italian cybersecurity officials warned that the ESXi flaw could be exploited by unauthenticated threat actors in low-complexity attacks, which don’t rely on using employee passwords or secrets, according to the Italian ANSA news agency. The ransomware campaign is already causing “significant” damage due to the number of unpatched machines, local press reported.

More than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign so far, according to a Censys search (via Bleeping Computer). France is the most affected country, followed by the U.S., Germany, Canada and the United Kingdom.

It’s not clear who is behind the ransomware campaign. French cloud computing provider OVHCloud backtracked on its initial findings suggesting a link to the Nevada ransomware variant.

A copy of the alleged ransom note, shared by threat intelligence provider DarkFeed, shows that the hackers behind the attack have adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address.

In a statement given to TechCrunch, VMware spokesperson Doreen Ruyak said the company was aware of reports that a ransomware variant dubbed ESXiArgs “appears to be leveraging the vulnerability identified as CVE-2021-21974” and said that patches for the vulnerability “were made available to customers two years ago in VMware’s security advisory of February 23, 2021.”

“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory,” the spokesperson added.

Updated with comment from CISA. 

© Provided by The Register

Beat Microsoft. Set agendas. Became essential. Hiked prices. Now we wait for Broadcom's reign

Special feature  In a decade of watching VMware, I've encountered two unverified but irresistible legends about the company.…

One is set in the very, very early days of the company, perhaps even before it opened for business. In this legend, IBM approaches VMware because Big Blue had sniffed the wind, realized x86 servers were going to be a huge market, and wanted to make sure it could bring virtualization to the platform. VMware showed x86 server virtualization was possible, but IBM didn't take matters further.

The second tale involves a meeting in the mid-2000s when then-CEO Diane Green was approached by Amazon.com to discuss what at the time seemed like a very odd request to acquire extraordinary quantities of the ESXi hypervisor on slightly funky terms.

In this story, VMware walked away… and Amazon decided to create its own cut of the open source Xen hypervisor to underpin what became Amazon Web Services.

I mention these stories because today, February 10, is VMware's 25th birthday.

How different might the company be at 25 had IBM engaged, or Amazon made it lord of the cloud? How different might all of enterprise computing be if IBM had prioritized x86 virtualization instead of persisting with its own platforms, or if hybrid cloud and public cloud had been intertwined from the very beginning?

We'll never know.

What we can state with certainty is that VMware at 25 is a singular success: few enterprise software companies ever reach its size or manage to thrive for so long.

Fewer still survive a full-on attack by Microsoft, which came hard at VMware hard in the late 2000s using its favorite tactic of replicating rival products then bundling them at very low cost.

Microsoft tried that with Hyper-V to make it an irresistible alternative to vSphere. But VMware, and its customers, resisted.

vSphere has been the world's server virtualization platform of choice ever since.

The company started life serving developers with a desktop hypervisor so they could more easily test their work in multiple environments. Virtualization was already well known at that time in the mainframe and Unix worlds, but virtual machines on x86 were exotic.

VMware stretched into server virtualization and made it impressively mature just in time to surf server sprawl and the great recession of 2008 that put IT budgets under the microscope.

EMC saw VMware's success in that era, and cunningly acquired it because it saw abstraction of IT resources as the future. The former storage giant was true to its word in allowing VMware to operate independently, even when that meant it pursued virtual storage that made EMC's arrays less relevant.

Virtual storage also made hyperconverged infrastructure possible, creating a welcome new architectural option. VMware next took sufficient strides into software-defined networking that the likes of Cisco and Juniper felt the need to make similar moves which changed their offerings significantly.

All server makers know doing business with VMware is essential, and Dell knew that must not be allowed to change once its acquisition of EMC gave it stewardship of the virtualization giant.

All clouds have embraced VMware as a partner they need if they're to offer a hybrid service users want.

So VMware grew and grew and grew, with revenue on track to crack $12 billion this financial year.

Virtzilla, as The Register likes to call it in homage to its dominance of server virtualization, has not been immune to controversy or error. It misstepped badly with price increases that came to be known as "vTax." In 2015 it paid a colossal fine for misleading pricing. In 2022 it wore an $8 million fine after being accused of shifting revenue into more convenient quarters to make its numbers look prettier.

The company has spent the better part of a decade trying to sort out its container strategy, and I know I'm not alone in thinking that the resulting Tanzu portfolio isn't its most coherent or mature offering. Plenty of players think they have a chance to steal VMware's future by claiming the containerization crown and making virtual machines a legacy afterthought.

In accurate years the company has also had some software quality problems, which will be tested as cybercriminals focus on its platforms like never before.

VMware users of my acquaintance grumble about price and bundling of weaker products alongside the essential vSphere and vCenter.

But few quit the company. And plenty participate in its user groups, which have generated a vivid and prolix blogosphere.

Current and former VMware staffers I spoke to for this piece talked about working for the company as a career highlight, often leading to enduring friendships that outlasted their time at the company.

VMware CEO Raghu Raghuram this week posted birthday wishes, and ended his post with: "VMware can celebrate 25 years of success, and look forward to a promising future."

That future will be as the flagship of Broadcom's software division, which last year agreed to acquire VMware for $61 billion. Regulatory necessity means Broadcom has not been able to say much of substance while it concludes the transaction, other than a string of assurances that it treasures VMware and won't upset its customers, partners or wider community.

But when I talk to those stakeholders, they remain nervous.

As should we all. Software companies of VMware's scale and significance are rare, and represent important counterweights to the even larger – and often more ruthless – players that Virtzilla has been able to evade for so long. ®

The MarketWatch News Department was not involved in the creation of this content.

Feb 12, 2023 (Stock Traders Daily via COMTEX) -- Stock Traders Daily has produced this trading report using a proprietary method. This methodology seeks to optimize the entry and exit levels to maximize results and limit risk, and it is also applied to Index options, ETFs, and futures for our subscribers. This report optimizes trading in Vmware (NYSE: VMW) with integrated risk controls.

The MarketWatch News Department was not involved in the creation of this content.