VMWare Vulnerability exploited to spread RansomExx Ransomware
According to research, Cybercriminals group behind ‘RansomExx Ransomware’ are now exploiting the known bugs in VMWare ESXi including CVE-2019-5544 and CVE-2020-3992 to spread this malware into multiple virtual machines to share the same hard drive storage. If you are not aware, CVE-2020-3992 bug was discovered in OPenSLP future in VMWare ESXi in the November last year.
ESXi is hypervisor that uses the application to partition processors, storage, memory and networking resources into multiple VMs or Virtual machines. This vulnerability was caused by implementation of OpenSLP in ESXi which causing a user-after-free (UAF) issue, and these UAF bugs typically generated from the incorrect utilization of dynamic memory during a program’s operation.
In case if any program doesn’t clear the pointer or address to the memory after freeing the memory location, the cybercriminals can use this vulnerability for malicious purposes. According to VMware security researcher, cybercriminals with network access to the port 427 on ESXi host or on any Horizon DaaS Management appliance may be able to overwrite or mislead the heap of the OpenSLP service due to CVE-2019-5544 vulnerability and resulting in remote code execution.
CVE-2019-5544 and CVE-2020-3992 both vulnerabilities could aid cybercriminals on the same network to send malicious SLP requests to ESXi devices which are vulnerable, and due to these flaws, the attackers could then gain control over it. Not only RansomExx Ransomware’s gang, Babuk Locker Ransomware gang is also carrying out the attacks based on similar scenario. So, if you or your company is using the VMware ESXi devices, then you should install the security patches released to fix these two flaws immediately. Also, you can prevent the explication of these bugs by disabling SLP support.
Cybercriminals exploit the bugs to spread Ransomware like RansomExx Ransomware
Ransomware developers are known to use or exploit the bugs in network, computers, software, or various other vulnerabilities to inject ransomware like RansomExx Ransomware, Bubuk Ransomware and/or other harmful ransomware virus in targeted Systems or networks. They target enterprises and organizations in this type of campaign.
As mentioned, CVE-2019-5544 and CVE-2020-3992 are the two vulnerabilities in VMware ESXi product which was exploited by cybercriminals or ransomware developers to attack ESXi devices or networks. However, the VMware patches update offers VMware ESXi users to fix these vulnerabilities by applying the patch and hence, they can prevent ESXi devices from ransomware attack or other attacks.