9

CISA and FBI releases recovery script for VMware EXSi servers targeted by ransom...

 1 year ago
source link: https://siliconangle.com/2023/02/08/cisa-fbi-releases-recovery-script-vmware-exsi-servers-targeted-ransomware/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

CISA and FBI releases recovery script for VMware EXSi servers targeted by ransomware

cisa.jpg
SECURITY

The U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have released a free recovery script in response to a widespread ransomware campaign targeting unpatched installations of VMware Inc.’s ESXi.

VMware Inc. and government agencies in Europe warned of the ransomware attacks earlier this week, saying that a malicious actor was targeting a vulnerability in VMware ESXi servers that was patched in 2021. The issue is a heap overflow vulnerability in OpenSLP used in ESXi in certain versions of 6.5, 6.7 and 7.0 of the software.

Two years after the patch was released, some VMware EXSi users have not implemented the patch or upgraded their software. VMware noted that the attacks are targeting installations that are generally at the end of general support or significantly out-of-date.

The new EXSiArgs recovery script, available on GitHub, allows organizations who have fallen victim to EXSiArs ransomware to attempt to recover their files. In an alert today, CISA said that there are now believed to be more than 3,800 EXSi servers compromised globally.

The script doesn’t seek to delete encrypted config files but instead tries to create new config files that enable access to affected virtual machines. Any organization considering using the ESXiArgs recovery script is warned that they should carefully review it to determine if it is appropriate for their environment before deploying it.

The quickness of the response by CISA and the FBI is undoubtedly welcome, but there’s a reason why it was relatively simple for them to code the script: The ransomware didn’t encrypt all data files.

“We got lucky this time,” Morten Gammelgard, executive vice president EMEA at ransomware protection company BullWall A/S, told SiliconANGLE. “The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMWare servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene. The next attack may work better and successfully encrypt all files and perhaps next time a rescue script will not be available.”

Image: CISA

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK