Ransomware attacks on VMware ESXi hypervisors are becoming increasingly common, as cyber criminals target the virtualization software used by organizations to run their IT infrastructures. In these attacks, the attackers gain unauthorized access to a virtual machine (VM) running on the hypervisor and encrypt the data stored on that VM. The attackers then demand a ransom from the victim in exchange for the decryption key.

One of the reasons why VMware ESXi hypervisors are attractive targets for ransomware attackers is that virtual machines often store critical data and applications that are essential to the operations of an organization. If a ransomware attack is successful, it can have a significant impact on the victim’s ability to conduct business.

CVE-2021-21974 is a security vulnerability that affects the vCenter Server, which is the central management platform for VMware virtual infrastructure. The vulnerability allows attackers to gain unauthorized access to the vCenter Server and potentially steal sensitive data or launch further attacks.

The vulnerability is caused by a security flaw in the Virtual SAN (vSAN) Health Check plug-in, which allows attackers to execute arbitrary code with elevated privileges on the vCenter Server. The vulnerability affects vCenter Server versions 6.7, 7.0, and 7.x, and requires the vSAN Health Check plug-in to be installed and enabled. 

To mitigate the risk of exploitation, organizations should upgrade to a version of vCenter Server that includes the fix for CVE-2021-21974, or disable the vSAN Health Check plug-in if it is not in use. It is also important to implement proper security measures, such as firewalls, antivirus software, and intrusion detection and prevention systems, to reduce the risk of a successful attack. 

To mitigate the risk of a ransomware attack on VMware ESXi hypervisors, organizations can take the following steps:

  1. Implement proper security measures, such as firewalls, antivirus software, and intrusion detection and prevention systems
  2. Ensure that all software and systems are up-to-date with the latest security patches and software updates
  3. Implement strong authentication and access controls to prevent unauthorized access to virtual machines
  4. Implement robust backup and disaster recovery procedures, to minimize the impact of a ransomware attack
  5. Regularly train employees to recognize and report phishing attacks, which are often the entry point for ransomware infections.

Conclusion :

CVE-2021-21974 is a serious security vulnerability that could allow attackers to compromise the vCenter Server and steal sensitive data or launch further attacks. Organizations using vCenter Server should take immediate steps to address the vulnerability and implement proper security measures to reduce their risk of exploitation.

And it is important to note that no single solution can provide 100% protection against ransomware attacks. However, by implementing a combination of security measures and best practices, organizations can reduce their risk of falling victim to a ransomware attack on their VMware ESXi hypervisors.

By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.