Critical Alert for VMWare vSphere, ESXi Users

Summary

A post on a cybercrime forum is advertising the access to multiple VMware vCenter and ESXi servers.
Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global
 

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising the access to multiple VMware vCenter and ESXi servers.
  • The actor claims to have access to 1000 VMWare vCenter, ESXi server instances of companies across the globe.
  • CloudSEK Threat Intelligence Research team has been able to validate the claims mentioned in the post.
 

Attribution

On 25 May 2021, a threat actor published a post on a dark web cybercrime forum, claiming to have gained unauthorized access to more than 1000 VMware vCenter and ESXi server instances of companies across industry verticals. This includes access to login credentials in plaintext of schools, network SDDC, gaming company, Hostinger servers, etc.  The actor claims that most companies have used default domains, making it hard to name the affected companies and that they have more than 100 active Virtual Machines running on their servers. The actor has also shared samples as proof of access.
Threat actor’s post on the cybercrime forum
The threat actor joined the forum on 24 May 2021 and is relatively new to the forum. The actor purchased premium membership and has two threads advertising vCenter Server/ESXi accesses.  

Analysis

Information from HUMINT
CloudSEK’s reliable source connected with the threat actor who privately shared a list of affected entities including industries from different countries. The threat actor had also advertised these accesses publicly on the cybercrime forum but subsequently took it down. CloudSEK Threat Intelligence researchers have been able to confirm that none of the accesses advertised or shared with our reliable source are related to Indian banks.
VMWare vulnerabilities on underground forums (Update)
Highly reputed threat actors on underground forums actively looking for PoC exploits for VMware vulnerabilities including the following CVEs:
  • CVE-2020-4004: VMware ESXi vulnerability that allows attackers with local user privileges to execute code.
  • CVE-2021-21974: vulnerability in ESXi OpenSLP that leads to remote code execution
  • CVE-2020-4005: VMware ESXi vulnerability that leads to privilege escalation after chaining with other vulnerabilities.
  • CVE-2019-5544: vulnerability in ESXi OpenSLP that leads to heap overwrite.
  • CVE-2020-3992: vulnerability in ESXi OpenSLP that leads to remote code execution
 In addition, other threat actors are looking for partners to provide ESXi access.

Impact & Mitigation

Impact Mitigation
  • The actor claims to have access to plaintext login credentials, which could result in other forms of attacks targeting other hosts on the same virtual machine monitor.
  • Attackers can leverage the access to plant different types of malicious files on the host, including ransomwares.
    • Enable 2FA for login credentials, and observe password policy best practices.
    • Restrict admin access to few users with custom roles for each type of user.
    • Monitor privileges assigned to administrators.
    • Restrict the access privileges to vCenter servers and databases depending on the type of user.
    • Apply the latest patches and updates from vendors.

Table of Contents

Request an easy and customized demo for free