ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack

5/06/2021

ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack

Malicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month.

The ongoing activity was detected by Bad Packets on June 3 and corroborated yesterday by security researcher Kevin Beaumont. “Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution,” tweeted Troy Mursch, chief research officer at Bad Packets.

The development follows the publication of a proof-of-concept (PoC) RCE exploit code targeting the VMware vCenter bug.

Tracked as CVE-2021-21985 (CVSS score 9.8), the issue is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by an attacker to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.

VMware vCenter Server

Although the flaw was rectified by VMware on May 25, the company strongly urged its customers to apply the emergency change immediately. “In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” VMware said.

VMware vCenter Server

This is not the first time adversaries have opportunistically mass scanned the internet for vulnerable VMware vCenter servers. A similar remote code execution vulnerability (CVE-2021-21972) that was patched by VMware in February became the target of cyber threat actors attempting to exploit and take control of unpatched systems.

At least 14,858 vCenter servers were found reachable over the internet, according to Bad Packets and Binary Edge.

What’s more, a new research from Cisco Talos earlier this week found that the threat actor behind the Python-based Necro bot wormed its way into exposed VMware vCenter servers by abusing the same security weakness to boost the malware’s infection propagation capabilities.

RELATED POST

Easy to Customize
10/05/2022

Digital Forensics | The Bug Bounty Balance

Criminals often use burner phones, these phones often are built with easier data retrieval methods, due to the lack of security software included. Modern Android phones, will have the latest Android Security patch, they also feature things like onboard encryption (especially Samsung phones).

7/05/2022

Click-Baiting – What is it and how to detect it.

Clickbait typically refers to the practice of writing sensationalized or misleading headlines [more]

7/05/2022

What is Doxxing? – An how to protect against it

It is when an internet user, with malicious intent discovers information about you and uses it in a negative way, often adding their own opinion or taking things out of context. They use this to potentially stalk or drive their victim offline.

  • _blank
  • ALL CATEGORIES
  • https://ackerworx.uk//d/2addicted.mp3
  • https://ackerworx.uk//d/2addicted.mp3
  • Bad Wings
  • The Glitch Mob
  • _blank
  • ALL CATEGORIES
  • https://ackerworx.uk//d/BW.mp3
  • https://ackerworx.uk//d/BW.mp3
  • _blank
  • ALL CATEGORIES
  • https://ackerworx.uk//d/addicted.mp3
  • https://ackerworx.uk//d/addicted.mp3
  • Ryder Remix
  • _blank
  • ALL CATEGORIES
  • https://ackerworx.uk//d/bw2.mp3
  • https://ackerworx.uk//d/bw2.mp3