- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising the access to multiple VMware vCenter and ESXi servers.
- The actor claims to have access to 1000 VMWare vCenter, ESXi server instances of companies across the globe.
- CloudSEK Threat Intelligence Research team has been able to validate the claims mentioned in the post.
On 25 May 2021, a threat actor published a post on a dark web cybercrime forum, claiming to have gained unauthorized access to more than 1000 VMware vCenter and ESXi server instances of companies across industry verticals. This includes access to login credentials in plaintext of schools, network SDDC, gaming company, Hostinger servers, etc.
The actor claims that most companies have used default domains, making it hard to name the affected companies and that they have more than 100 active Virtual Machines running on their servers. The actor has also shared samples as proof of access.
[caption id="attachment_17594" align="aligncenter" width="794"]
Threat actor’s post on the cybercrime forum[/caption]
The threat actor joined the forum on 24 May 2021 and is relatively new to the forum. The actor purchased premium membership and has two threads advertising vCenter Server/ESXi accesses.
Information from HUMINT
CloudSEK’s reliable source connected with the threat actor who privately shared a list of affected entities including industries from different countries. The threat actor had also advertised these accesses publicly on the cybercrime forum but subsequently took it down. CloudSEK Threat Intelligence researchers have been able to confirm that none of the accesses advertised or shared with our reliable source are related to Indian banks.
VMWare vulnerabilities on underground forums (Update)
Highly reputed threat actors on underground forums actively looking for PoC exploits for VMware vulnerabilities including the following CVEs:
In addition, other threat actors are looking for partners to provide ESXi access.
- CVE-2020-4004: VMware ESXi vulnerability that allows attackers with local user privileges to execute code.
- CVE-2021-21974: vulnerability in ESXi OpenSLP that leads to remote code execution
- CVE-2020-4005: VMware ESXi vulnerability that leads to privilege escalation after chaining with other vulnerabilities.
- CVE-2019-5544: vulnerability in ESXi OpenSLP that leads to heap overwrite.
- CVE-2020-3992: vulnerability in ESXi OpenSLP that leads to remote code execution
Impact & Mitigation
- The actor claims to have access to plaintext login credentials, which could result in other forms of attacks targeting other hosts on the same virtual machine monitor.
- Attackers can leverage the access to plant different types of malicious files on the host, including ransomwares.
- Enable 2FA for login credentials, and observe password policy best practices.
- Restrict admin access to few users with custom roles for each type of user.
- Monitor privileges assigned to administrators.
- Restrict the access privileges to vCenter servers and databases depending on the type of user.
- Apply the latest patches and updates from vendors.