Hey everyone,
There is a huge attack in progress since today, some cloud provider have been impacted.
French Cybersecurity agency will published soon an alert on this subject.
Have a great weekend,
VMSA-2021-0002 and cryptlocker nevada
Userlevel 7
+8
Userlevel 7
+20
Thanks for sharing this. Made my VMware team aware. 👍🏼
Userlevel 7
+7
Thanks for the heads up
Userlevel 7
+8
Fresh article in english from OVH:
Ransomware targeting VMware ESXi - OVHcloud Blog
Edit1: Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi – CERT-FR (ssi.gouv.fr) use translate from browser sorry :(
Userlevel 7
+8
Update: Not officially confirmed maybe NVD - CVE-2022-31699 (nist.gov) and/or VMSA-2022-0030 (vmware.com) have been used too.
be aware of the weekend's news.
I received a call 15 min ago. One of my customers was attacked
Userlevel 7
+14
Will be interesting to get all the details. VMSA-2021-0002 is over 2 years old and all environments should already have received the patches.
Userlevel 7
+20
Having used OVH in the past, they put the VMKernel onto WAN by default with management enabled, and how I wish people would secure that 😔 even outside ESXi you can enable OVH’s firewall to block external access to this except via specific IP addresses.
Feels like their deployment templates should at least be trying to default restrict access to the ESXi management to a smaller scope than the whole web 😆
Userlevel 7
+20
Will be interesting to get all the details. VMSA-2021-0002 is over 2 years old and all environments should already have received the patches.
Unfortunately most people using services like OVH aren’t then using any shared storage between the hosts, so they’re less likely to have a vCenter managing them, if they have multiple, and even less likely to do proper patching as a result as it’d be bringing all VMs down
Userlevel 7
+8
Having used OVH in the past, they put the VMKernel onto WAN by default with management enabled, and how I wish people would secure that 😔 even outside ESXi you can enable OVH’s firewall to block external access to this except via specific IP addresses.
Feels like their deployment templates should at least be trying to default restrict access to the ESXi management to a smaller scope than the whole web 😆
Only dedicated hosts have been impacted, indeed the security of the machines is the responsibility of the customer… Another good example that the cloud is not magic.
Userlevel 7
+14
Any hoster like OHV should at least apply security best practices and scan the customer environments for vulnerabilities. At least that's my opionion as I wouldn't want to host spam relays, botnets, etc.
Userlevel 7
+11
Thx for sharing
Userlevel 7
+8
Any hoster like OHV should at least apply security best practices and scan the customer environments for vulnerabilities. At least that's my opionion as I wouldn't want to host spam relays, botnets, etc.
Not sure it will cost money, nothing is free...
Userlevel 7
+13
Well, CVEs was from February 2021 and patched since that month.
Only ESXi > 6 and < 6.7.
It use an open port 427, so only the servers exposed on the WAN on that port are vulnerable to this worldwide attack.
For those infected, a researcher has created a guide to recover encrypted VMs:
Direct link:
On this link there’s a detailed tech analisys on this type of attack.
Userlevel 7
+7
For people in the need to decrypt your vmdk affected by CVE-2020-3992 you could use the tuto linked by
But be careful there are some new variants:
https://www.helpnetsecurity.com/2023/02/06/nevada-ransomware-upgraded-locker/
Resecurity has identified a new version of Nevada ransomware which recently emerged on the Dark Web right beore the start of 2023
Userlevel 7
+20
Well, we are all good for patching for this one which is a relief. 😁
Userlevel 7
+14
Any hoster like OHV should at least apply security best practices and scan the customer environments for vulnerabilities. At least that's my opionion as I wouldn't want to host spam relays, botnets, etc.
Not sure it will cost money, nothing is free...
Hosting vulnerable software and applying bad security pratices damages your reputation and therefore also costs money 😉
Userlevel 7
+14
Here's a short response from VMware on the attacks: https://blogs.vmware.com/security/2023/02/83330.html
VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed
So to summarize.
- Don't leave critical vulnerabilities unpatches
- Don't use End of Life software
- Don't open critical services to the internet
Userlevel 7
+7
More here: https://www.theregister.com/2023/02/06/esxi_ransomware_campaign/
CISA has made a decryption tool available here: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script
Userlevel 7
+20
More here: https://www.theregister.com/2023/02/06/esxi_ransomware_campaign/
CISA has made a decryption tool available here: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script
Came here to share this, you beat me to it 👏
As for OVH’s reputation
Comment
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.