In October 2023 a TrendMicro researcher had discovered and published details of a critical vulnerability in VMware, specifically, in VMware vSphere. This is a management platform for VMware environments, used to manage ESX and ESXi servers and virtual machines. The vulnerability, identified as CVE-2023-34048, arises from an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation and allows an unauthenticated attacker, by sending specially crafted remote requests, to execute arbitrary code, gaining full control over the platform, without the need for any user interaction. Cybolt had warned about this vulnerability through Alert 2023-06. Recently, almost 3 months later, it has started to be seen that this vulnerability is being used in multiple attacks. Given the seriousness of the situation, VMware has released security patches even for products that have reached end of life without active support.
Specifically, it has been reported that various actors are taking control of VMware servers and selling them on cybercrime forums to ransomware groups.
Currently, many of the ransomware groups, such as Royal, Black Basta, LockBit, RTM Locker, Qilin, ESXiArgs, Monti and Akira, among others, have been noted for directly targeting victims’ VMware ESXi servers to encrypt files and demand hefty ransoms.
We can visualize that there are more than 2,200 VMware Center servers currently exposed online, many of them also in Mexico, with a very high latent risk potential.
In cases where, for some reason, patching is not possible immediately, as there is no effective mitigation, VMware recommends strictly controlling network perimeter access to vSphere management components.
In the event that your organization has had the VMware vSphere interface exposed to the Internet, unpatched, you should consider that it is probably already compromised and therefore look for signs of compromise not only on the machine but in the rest of the network.
In addition, it is important to note the importance of tight control of network perimeter access for all management components and interfaces in vSphere, as well as related components such as networking and storage.
The company warns about specific ports (2012/TCP, 2014/TCP and 2020/TCP) linked to potential exploits in attacks targeting this vulnerability.
Sources:
