// Overview 

Amaru’s MDR is aware of an active ransomware campaign targeting unpatched VMware ESXi hosts facing the public internet. On February 3rd, 2023 the French National CERT first reported a threat actor campaign targeting VMware ESXi hypervisors with the aim of deploying ransomware. The initial access vector is CVE-2021-21974, a vulnerability that allows an attacker to remotely execute arbitrary code.

A patch for CVE-2021-21974 has been available since February 23, 2021. CVE-2021-21974 affects the following ESXi versions:
• ESXi 7.x versions earlier than ESXi70U1c-17325551
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG

// What you should do 

Ensure that all patches available for ESXi hypervisors have been applied.

 // What Amaru MDR (Managed Detection and Response) is doing 

For customers subscribed to our MDR service, we are continuing to perform threat hunts to identify potential indicators of related suspicious activity and for signs of post-exploitation tactics. We will notify you should any suspicious or malicious behaviour is observed in your estates.

Amaru MDR is continuing to monitor private and public threat intelligence.

// References 



Recent blog posts

We are becoming Amaru

We are becoming Amaru

The name Simplify Security doesn’t capture our mission enough. And as a result, we’re rebranding to Amaru. Bigger mission, same vision, same values, same purpose. When I started this business in 2019, I wanted to help organisations grow better with more innovative,...

What is OSINT and what are the benefits?

What is OSINT and what are the benefits?

Open-source intelligence (OSINT) is the practice of gathering, analyzing, and using information from publicly available sources. This can include data from websites, social media, news articles, government reports, and other sources that can be legally and ethically...