Feb 7, 2023 - Technology

What to know about the VMware server attacks

Illustration of top down view of opened laptops in a grid pattern.

Illustration: Rae Cook/Axios

A ransomware campaign exploiting VMware servers around the world sent security personnel into a fury over the weekend.

Driving the news: Reports started to surface late last week detailing a "global ransomware hacking attack," as Reuters described it, targeting a years-old vulnerability in VMware's popular ESXi machines.

  • Ransomware gangs appear to be targeting a vulnerability that VMware patched two years ago — limiting the potential impact to only those who missed that system update.
  • French and Italian officials, among others, issued alerts late last week and over the weekend warning about an active ransomware campaign targeting unpatched servers.

Why it matters: Roughly 2,400 VMware ESXi servers have been hit with the ransomware worldwide, according to BleepingComputer.

  • The largest number of affected servers is in France, followed by the U.S. and Germany, per Reuters.
  • VMware says it has more than 400,000 customers, and it has cited figures saying analysts believe that 80% of virtualized workloads run on VMware technology.

What they're saying: A spokesperson at the Cybersecurity and Infrastructure Security Agency told Axios the agency is working "to assess the impacts of these reported incidents and providing assistance where needed."

  • A VMware spokesperson said the ransomware attacks appear to be targeting "end-of-general-support or significantly out-of-date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories."

Between the lines: Now is the time for companies to assess whether they use this specific VMware product — and if so, to immediately patch their systems, Avi Sinai, vice president of research and development at Israeli cloud security firm Perimeter 81, told Axios.

  • "Hundreds of vulnerabilities are found every day. If you have time to patch your servers, then you're good." Sinai said. "If not ... you must patch as soon as possible. Otherwise, even junior hackers can find a way to hack your system and then ask for ransom."

The intrigue: VMware's ESXi servers allow people to host virtualized, cloud-based computers on physical devices, giving them access to multiple operating systems via one server.

  • While moving to the cloud has been hailed as a surefire way to protect organizations, the current ransomware attack is an example of the security downfalls if administrators don't know how to properly patch or manage their cloud networks, Sinai added.

Be smart: Each organization running cloud computing security infrastructure should establish a regular patching schedule to avoid a similar exploitation of years-old, already resolved security vulnerabilities.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper