What do we know?
Adversary: Unknown, likely Criminal Actor/s
Initial Access Vector: Unknown/Unproven
Impact: ~3K+ Hosts have had Remote Code Execute and their ESXi logon pages changed (plus had encryption routines run to encrypt virtual machines, with varying success). A Second encryption routine has been deployed to some hosts; the threat actor is expanding/changing capabilities.
Risk: Further impact, Additional Threat Actors Exploit the vulnerability
What should people do?
- Review for unauthorized access.
- If found, isolate, contain and eradicate threat. There is a link to CISA guidance/script in references
- Patch, harden and reduce attack surface of ESXi infrastructure.
Potential Attack Surface
To generate a view on potential risk and attack surface, I’ve taken a set of data from Shodan. I’ve enumerated each IP and each specific build string, I’ve then categorized these against an excel sheet I made from the build data from VMware. There will be some variables here, and this doesn’t cover off port exposures (at this time) but it does show there are a lot of builds that are not “up to date” in the wild and exposed to the internet (what about inside networks?)