02-25-2021 , 11:54 PM
After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers.
The scanning activity was spotted by threat intelligence company Bad Packets just one day after [color=var(--theme-link_a)]VMware patched the critical vulnerability. [/color]
Thousands of unpatched vCenter servers are still reachable over the Internet, according to information provided by [color=var(--theme-link_a)]BinaryEdge (over 14,000 exposed servers) and [color=var(--theme-link_a)]Shodan[/color] (over 6,700).[/color]
Mikhail Klyuchnikov of Positive Technologies found the bug ([color=var(--theme-link_a)]CVE-2021-21972) during the fall of 2020 and reported it privately to VMware in October 2020.[/color]
Positive Technologies delayed releasing all the technical details to a later date to give companies enough time to patch their vCenter servers or block public access to them.
However, they [color=var(--theme-link_a)]decided to publish yesterday after at least two PoC exploits for the unauthorized RCE bug were released and hackers started mass scanning for unpatched servers.[/color]
We've detected mass scanning activity targeting vulnerable VMware vCenter servers ([color=var(--theme-link_a)]https://t.co/t3Gv2ZgTdt).[/color]
Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. [color=var(--theme-link_a)]#threatintel[/color]
— Bad Packets (@bad_packets) [color=var(--theme-link_a)]February 24, 2021[/color]
Critical RCE with public PoC exploits
Successful exploitation of this security bug allows attackers to take over an organization's entire network, given that VMware vCenter servers are used by IT admins to manage VMware solutions deployed across their enterprise environments via a single console.
"The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin," VMware explained.
"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."
As the company further added, the impacted vCenter Server plugin for vRealize Operations (vROps) is present in all default installations.
VMware issued a security update this week, on Tuesday, and rated the security vulnerability with an almost maximum severity rating of [color=var(--theme-link_a)]9.8 out of 10.[/color]
VMware also provides a workaround designed to remove the possibility of exploitation for admins who cannot immediately update.
Detailed steps on implementing the workaround can be found in VMware's [color=var(--theme-link_a)]KB82374 support document.[/color]
To highlight the importance of patching vulnerable vCenter servers exposed and avoiding exposing them over the Internet, VMware vulnerabilities have been exploited in the past in ransomware attacks targeting enterprise networks.
Multiple ransomware gangs, including RansomExx, Babuk Locker, and Darkside, have used VMWare ESXi pre-auth RCE exploits to encrypt ESXi instances' virtual hard disks used as centralized enterprise storage space, as ZDNet [color=var(--theme-link_a)]reported last year.[/color]
Source
The scanning activity was spotted by threat intelligence company Bad Packets just one day after [color=var(--theme-link_a)]VMware patched the critical vulnerability. [/color]
Thousands of unpatched vCenter servers are still reachable over the Internet, according to information provided by [color=var(--theme-link_a)]BinaryEdge (over 14,000 exposed servers) and [color=var(--theme-link_a)]Shodan[/color] (over 6,700).[/color]
Mikhail Klyuchnikov of Positive Technologies found the bug ([color=var(--theme-link_a)]CVE-2021-21972) during the fall of 2020 and reported it privately to VMware in October 2020.[/color]
Positive Technologies delayed releasing all the technical details to a later date to give companies enough time to patch their vCenter servers or block public access to them.
However, they [color=var(--theme-link_a)]decided to publish yesterday after at least two PoC exploits for the unauthorized RCE bug were released and hackers started mass scanning for unpatched servers.[/color]
We've detected mass scanning activity targeting vulnerable VMware vCenter servers ([color=var(--theme-link_a)]https://t.co/t3Gv2ZgTdt).[/color]
Query our API for "tags=CVE-2021-21972" for relevant indicators and source IP addresses. [color=var(--theme-link_a)]#threatintel[/color]
— Bad Packets (@bad_packets) [color=var(--theme-link_a)]February 24, 2021[/color]
Critical RCE with public PoC exploits
Successful exploitation of this security bug allows attackers to take over an organization's entire network, given that VMware vCenter servers are used by IT admins to manage VMware solutions deployed across their enterprise environments via a single console.
"The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin," VMware explained.
"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."
As the company further added, the impacted vCenter Server plugin for vRealize Operations (vROps) is present in all default installations.
VMware issued a security update this week, on Tuesday, and rated the security vulnerability with an almost maximum severity rating of [color=var(--theme-link_a)]9.8 out of 10.[/color]
VMware also provides a workaround designed to remove the possibility of exploitation for admins who cannot immediately update.
Detailed steps on implementing the workaround can be found in VMware's [color=var(--theme-link_a)]KB82374 support document.[/color]
To highlight the importance of patching vulnerable vCenter servers exposed and avoiding exposing them over the Internet, VMware vulnerabilities have been exploited in the past in ransomware attacks targeting enterprise networks.
Multiple ransomware gangs, including RansomExx, Babuk Locker, and Darkside, have used VMWare ESXi pre-auth RCE exploits to encrypt ESXi instances' virtual hard disks used as centralized enterprise storage space, as ZDNet [color=var(--theme-link_a)]reported last year.[/color]
Source