Back in February 2021, I published a post named Is Your VMware vCenter Publicly Available?.
It is February 2023, and here we are again. A new widespread ransomware attack dubbed ESXiArgs is targeting publicly available ESXi hosts, using a vulnerability that was patched two years ago (CVE-2021-21947) .
For details, see Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide.
You really don’t want to wake up some day and see that your ESXi HTML Client has been replaced by a static web page, showing you how to pay the ransom…
For now it seems to be contained to publicly available ESXi hosts, but remember, the same tecnique and vulnarability is also available on the inside of your perimiter firewall, so any internal client that can access your hosts could potentially be an attacker as well.
Lessons to be learned here? #
- Don’t expose vCenter or ESXi hosts to the internet. No exceptions (except Honeypots of course)
- Ensure admin access (vCenter, ESXi and other management interfaces/APIs) is limited to clients that need it and is properly secured (think Zero Trust, MultiFactor Authentication etc.)
- Patch your stuff.
To quote myself from two years ago:
To be blunt; there is simply no valid reason why your VMware vCenter, or ESXi hosts, should be available over the internet, none what so ever. In fact, it shouldn’t even be available from non-admin clients in your local network, let alone via the internet. If that is the case in your environment, odds are that there are probably other big issues present in your infrastructure as well.
- Expired VMware vCenter certificates —
- VMware Update Manager: Unsupported Configuration —
- ESXi5.5 to 6.0 Upgrade From Local HTTP Daemon —
- Root Cause of Invalid memory setting: memory reservation (sched.mem.min) should be equal to memsize (memsize) —
- Automatically Name Datastores in vSphere? —