The attack now in progress is a ransomware attack, in which cybercriminals enter systems through an infected link or phishing email and encrypt data of the enterprise. VMWare ESXi virtualization systems are very popular and used by many companies, and a compromise of these systems could have disruptive impacts on critical services such as banking or healthcare. That's because virtualization systems underpin most enterprise information systems, bypassing downstream application protections and entering directly into upstream systems.
Ransomware is a type of malware that prevents access to data on a computer using encryption. The goal is to obtain a ransom payment in exchange for decrypting data. These attacks are purely extortionate and do not aim to erase or disseminate data, but simply to prevent access to it. However, they can have serious consequences for businesses and individual users, as their personal data (common and sensitive) could be resold to third parties, disseminated, lost forever, or held hostage for a long time, causing economic and reputational damage, as well as the risk of facing penalties provided by law.
The current attack is directed against VMware ESXi servers and is targeting companies in Europe and North America. The National Agency for Information Security (ACN) in Italy has invited companies using these VMware products to upgrade immediately in order to avoid becoming victims of this cybercrime campaign.
According to ANSA, in addition to servers in Italy, hackers have also targeted those located in France, Finland, the United States and Canada. In Italy, entities in the public and private sectors have already been affected.
In the United States, cybersecurity authorities are also analyzing incoming reports. The Cybersecurity and Infrastructure Security Agency (CISA) is working with its public and private partners to assess the impacts of these incidents and provide assistance where needed.
A VMware representative confirmed that hackers are exploiting a vulnerability discovered in early 2021 and corrected in February of the same year. The company has also asked its customers to immediately apply the "patch", which have been available for years.
According to a report published by The Stack, more than 500 companies were affected by this campaign, which was effectively a ransomware attack. Companies in France have been the hardest hit, with the French government's cybersecurity incident response team, CERT-FR, describing the attack as semi-automated and targeting servers vulnerable to CVE-2021-21974.
The vulnerability, described as an OpenSLP HeapOverflow vulnerability, allows cybercriminals to execute code remotely. It is currently unknown which ransomware group initiated the attack and which encoder was used, but it is estimated that about 20 servers are affected every hour.
In this context, it is of paramount importance that companies take the right precautions to protect the security of their data and computer systems. A first measure is to monitor any vulnerabilities in the software used, and then promptly apply available security patches.
But there is more. In order to have an adequate protection, it is also important to rely on experienced cybersecurity consultants who can provide an assessment of the risks and vulnerabilities, as well as any measures to be taken to prevent them, as well as having qualified legal support to assist these processes.
In case companies suffered a ransomware attack, they should immediately seek the help of competent technicians and a lawyer specialized in cyber law to assess their options.
Firstly, it is important to check if there has been a data breach and, if so, follow the appropriate legal procedures to protect their own data and customer information.
Second, it is necessary to understand whether there are any legal obligations related to reporting the data breach to third parties, such as customers or relevant authorities.
In addition, it will be important to determine if there are any policies governing the use of data and how such contracts or policies may affect the legal situation.
Finally, the company will have to consider whether or not to accept paying the requested ransom, taking into account the legal risks and potential long-term effects on corporate reputation.