法意芬多国发布预警,要求立刻安装补丁!
前情回顾·重大网络安全事件预警
- 畅捷通漏洞被勒索软件利用攻击国内企业,工信部漏洞平台预警!
- 国内仿冒电子邮箱发起钓鱼邮件攻击事件频发!工信部发布预警
- 意大利多个重要政府网站遭新型DDoS攻击瘫痪,该国CERT发布警告
- 五眼联盟网络安全当局针对俄罗斯发布联合网络安全警告
2月7日消息,欧洲网络安全监管机构警告称,勒索软件攻击者正在“大规模主动利用”一个已存在近2年的VMWare ESXi漏洞。
这次攻击被命名为ESXiArgs,原因是勒索软件加密文件后,会创建一个扩展名为.args的附加文件。研究人员称,该文件中包含关于如何解密被锁文档的信息。
安全大数据公司Censys对勒索信息进行了检索和披露,显示欧洲和北美已有数千台服务器遭到破坏。奥地利计算机安全应急响应小组在周一也发出警告,称“至少有3762个系统”受到了影响。
据悉,意大利、法国、芬兰、美国、加拿大等国均遭到攻击。美联社报道称,勒索攻击发生时,意大利电信公司出现大规模互联网中断,意大利总理办公室已就勒索攻击发布了公告。
一、遭利用漏洞在两年前披露,PoC已大范围传播
根据VMWare官方介绍,ESXi这款产品属于“裸机管理程序……可直接访问并控制底层资源”。这种对关键文件的访问能力,恰恰是攻击者借以破坏大量用户资源的突破口。
遭利用的VMWare ESXi漏洞编号为CVE-2021-21974,已经在2021年2月正式发布补丁。政府机构和网络安全专家敦促各系统管理员,应立即对未经补丁修复的服务器进行更新。
该漏洞最初由俄罗斯安全公司Positive Technologies的Mikhail Klyuchnikov发现。这家公司曾因向黑客团伙销售“网络工具”而受到美国商务部的制裁。
目前没有任何迹象表明,Klyuchnikov的披露与商务部制裁或者当前勒索攻击活动有关。VMWare官方在漏洞确认中还对Klyuchnikov表达了感谢。
2021年5月以来,已经出现了针对CVE-2021-21974漏洞的有效概念验证(PoC),但目前还不清楚ESXiArgs攻击中采取的是不是同样的方法。
二、法意芬多国发布预警,要求立刻安装补丁
法国计算机应急响应小组(CERT-FR)在上周五发布公告,就此次勒索软件攻击发出警告。
意大利国家网络安全局也在上周六晚间表示,此漏洞正被用于“散播勒索软件”。
法国CERT负责人Mathieu Feuillet在推特上透露,该小组收到了“大量与此次事态相关的报告”,并强调要“紧急”处理。
法国云计算公司OVHCloud的首席信息安全官Julien Levrard警告称,该公司的技术团队在全球范围内持续检测勒索软件攻击。
Levrard表示,OVHCloud团队最初以为此次攻击与Nevada勒索软件有关,但随后发现是“错误关联”,目前暂时无法做出确切归因。
芬兰网络安全中心Kyberturvallisuuskeskus强调,“应立即安装”安全补丁,并警告称“考虑到影响范围巨大,尚未更新的服务器很可能被黑客入侵。”
翻译:
France, Italy and Finland issued a warning, requiring the immediate installation of patches!
Previously on Warning of major cyber security incidents
Changjietong vulnerability is used by ransomware attacks domestic enterprises, Ministry of Industry and Information Technology vulnerability platform warning!
Phishing mail attacks launched by domestic fake E-mail mailboxes occur frequently! The Ministry of Industry and Information Technology issued a warning
Italy’s CERT has issued a warning after key government websites were brought down by a new type of DDoS attack
Five Eyes Alliance cybersecurity authorities have issued a joint cybersecurity alert against Russia
Ransomware attackers are “actively exploiting on a large scale” a VMWare ESXi vulnerability that has existed for nearly two years, Europe’s cyber security watchdog has warned.
The attack was named ESXiArgs because after the ransomware encrypts the file, it creates an additional file with the extension.args. The researchers say the file contains information about how to decrypt the locked document.
A search and disclosure of the blackmail messages by Censys, a security big data company, showed that thousands of servers in Europe and North America had been compromised. Austria’s Computer Security Emergency Response team also warned on Monday that “at least 3,762 systems” had been affected.
Italy, France, Finland, the United States and Canada are all reported to have been attacked. The Associated Press reported that the attack occurred during a massive Internet outage at Telecom Italia and that the Italian prime minister’s office had issued an announcement about the blackmail attack.
The exploit vulnerability was disclosed two years ago, PoC has been widely spread
According to VMWare’s official introduction, ESXi is a “bare metal computer management program… Can directly access and control the underlying resources “. This ability to access critical files is exactly the opening through which an attacker can destroy a large number of user resources.
The number of the exploited VMWare ESXi vulnerability is CVE-2021-21974, and the patch was officially released in February 2021. Government agencies and cybersecurity experts are urging system administrators to immediately update servers that have not been patched.
The bug was first discovered by Mikhail Klyuchnikov of Russian security firm Positive Technologies. The company was sanctioned by the U.S. Commerce Department for selling “cyber tools” to hacking gangs.
There was no indication that Klyuchnikov’s disclosure was related to Commerce Department sanctions or the current extortion campaign. VMWare officials also thanked Klyuchnikov in confirming the bug.
Since May 2021, there has been a valid proof-of-concept (PoC) for the CVE-2021-21974 vulnerability, but it is unclear whether the same approach was taken in the ESXiArgs attack.
France, Italy and Finland issued a warning, requiring the immediate installation of patches
France’s computer Emergency Response group, CERT-FR, issued a notice on Friday warning of the ransomware attack.
Italy’s national Cyber security agency also said late on Saturday that the flaw was being used to “spread ransomware”.
The head of France’s CERT, Mathieu Feuillet, revealed on Twitter that the team had received “numerous reports related to the situation” and stressed the need to deal with it “urgently”.
Julien Levrard, chief information security officer at French cloud company OVHCloud, warned that the company’s technical teams are constantly detecting ransomware attacks around the world.
Levrard said the OVHCloud team initially thought the attack was related to the Nevada ransomware, but later found a “false association” and was unable to determine a definitive cause at this time.
Finnish cyber security center Kyberturvallisuuskeskus stressed that the security patch “should be installed immediately” and warned that “given the huge scope of impact, servers that have not been updated are likely to be hacked.”
本文由数字化转型网(www.szhzxw.cn)转载而成,来源:安全内参;编辑/翻译:数字化转型网宁檬树。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
