The Resurrection of CVE-2021-21974: The Ransomware Attack on VMware ESXI Hypervisors that Doesn’t Seem to Go Away

An old vulnerability has recently been making waves in the world of cybersecurity, and that is the catchily named CVE-2021-21974. The ransomware attack that exploits... Read ›
The Resurrection of CVE-2021-21974: The Ransomware Attack on VMware ESXI Hypervisors that Doesn’t Seem to Go Away An old vulnerability has recently been making waves in the world of cybersecurity, and that is the catchily named CVE-2021-21974. The ransomware attack that exploits a vulnerability in VMware ESXi hypervisors, has reportedly hit over 500 machines this past weekend. Shodan data indicates that many servers were initially hosted in the OVHcloud, but the blast radius appears to be constantly expanding.   So serious is the outbreak that it has  gained the attention of CERT-FR (the French government center for monitoring, alerting and responding to computer attacks), which has issued an advisory warning of the vulnerability. This is the first advisory of 2023, only proceeded by a Fortinet SSL-VPN issue which was announced in December 2022.  But the biggest problem is that the CVE was originally issued two years ago when researchers at Trend Micro discovered and reported the vulnerability to VMware! That’s two years where organizations didn’t patch and upgrade their servers to mitigate against this vulnerability.   Why is CVE-2021-21974 a concern? The researchers discovered that vCenter Server, the centralized management platform for VMware, was susceptible to an attacker executing arbitrary code with privileged levels of access. The vCenter Server is the beating heart of a company’s virtual infrastructure. It’s the place where administrators go to manage virtual machines, networks, storage, and more.   By exploiting this vulnerability, an attacker could potentially gain access to sensitive information, disrupt operations, and cause significant damage to an organization's virtual infrastructure. While VMware took steps to address this exploit, it required manual intervention on behalf of administrators to install and deploy the fix.  How does this exploit work, and how can you stay protected?  This exploit follows the traditional hallmarks of the ransomware attack chain. Let’s walk through what that looks like for enterprises with and without Cato:   Step 1) Initial access  Without Cato:  Legacy networks provide users with access to the complete network. As such, attackers have a wide range of attack vectors to gain initial access to the network and then to move laterally and attack the VMware vCenter Server. Vectors include phishing attacks, network intrusion, or exploitation of another vulnerability.   With Cato: Cato implements a zero-trust access model, which restricts a user’s resource access and decreases the attack surfaces. It’s no longer sufficient for attackers to gain initial access to the network. They must gain access to a user or machine with access to vCenter vServer. Cato’s ZTNA includes constant device and user assessment, user access control and posture checks to ensure that initial access is not possible. If someone attempts to click on a phishing link, Cato’s SWG and FWaaS can detect, block, and log this connection – ensuring that your perimeter always remains secure.  Step 2) Exploitation  Without Cato:  The attacker exploits the vulnerability in the vCenter Server by sending a specially crafted request to the server. This request contains malicious code that the attacker wants to execute on the vCenter Server. Sometimes this is done via vulnerability chaining (using one vulnerability to expose another), while other times you just focus on a single exploit.  With Cato:  Should an attacker gain access to a machine with access to the vCenter vServer, exploiting the vulnerability will still be impossible. Our security engines, including our IPS, identify and block the malicious code before the server can even be compromised. To be clear, even though the server has not yet been patched and, in theory, would be vulnerable, Cato mitigates the attack surface area without you having to do anything. And, yes, Cato does protect against CVE-2021-21974. We have for years.  Step 3) Code execution:  Without Cato: Upon receiving the request, the vCenter Server processes the request, which then causes the malicious code to be executed on the server. This allows the attacker to execute arbitrary code with the privileges of the vCenter Server  With Cato:  This phase is bypassed, as we have blocked the attacker from gaining access to the network, as well as blocking any malicious traffic. In the rogue event that a machine was compromised with ransomware while not being protected by Cato, our converged security solutions would prevent the lateral movement of malware throughout your network (north/south and east/west) while also providing an insight into this risk within the Cato Management Application.  Step 4) Data theft or disruption  Without Cato:  The attacker can now access sensitive information stored on the vCenter Server or disrupt operations within the virtual infrastructure. The attacker could potentially steal sensitive information, disrupt virtual machines, deploy ransomware or even completely shut down the virtual infrastructure.  With Cato:  Information is secure as Cato has stopped every step of the attack lifecycle prior to this stage. However, if someone has compromised a device in a way that hasn’t been caught, Cato’s DLP capabilities will prevent exfiltration and theft of sensitive information.   [boxlink link=""] Rapid CVE Mitigation by Cato Security Research | See Selected Critical CVEs [/boxlink] What’s your choice?  This CVE is one of thousands which appear in the cybersecurity landscape every week, against hundreds of vendors. If you’re a network or security practitioner who’s responsible for managing a large stack of servers, which option would you choose to ensure your network doesn’t get breached?  Do you want to spend a large portion of your life chasing patches and securing vulnerabilities, deploying packages and making sure every hole of your leaking ship has been plugged?  Or should you adopt a converged stance for networking and security, and allow Cato Networks to protect you at each step of the attack cycle with minimal involvement required?  I know which option I would want....  To learn more about CVE-2021-21974 and other goodies, check out this episode of CyberTalk, our video series dedicated to raising cybersecurity awareness everywhere. 

Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges

There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used... Read ›
Evaluating SASE Vendors? Here’s Why You Should Compare Apples and Oranges There is a common cliché that is often thrown around during SASE vendor discussions “you are comparing apples to oranges.” This phrase is typically used when looking at functions or features of a product, but often is used by people looking to discredit a solution offered by a competitor. It is natural, however, as every single vendor is inherently biased to believe that their offering is the best. So, let us take a look at what this expression means, and why we should compare apples and oranges when evaluating SASE solutions. Why Compare Apples and Oranges An apple and an orange have many things in common. They are both fruits, they are both round, they both can taste sweet (or sour), and both can do damage if they are thrown in anger. Based on these characteristics alone, there is no discernible difference between the two. Now, what are the differences? The question you need to ask yourself is, “What do I want?” If you are looking to make an apple pie, then the choice is obvious. However, if your goal is to just eat something fruity, then that is where the deliberation begins. Do you buy an apple? Do you buy an orange? If you do not have an idea in mind, it is easy to get overwhelmed in the fruit aisle… Mapping Architecture to Your End Goal Look at the solutions and technologies that you use today within your corporate network and think about the purpose of their design. Have you purchased an orange or an apple, or do you have a chaotic digital fruit-salad which has grown organically over time due to a myriad of tastes and preferences? If so, you need to re-evaluate your entire corporate strategy to help you grow and develop into the future. The architecture of every fruit has a purpose and has been designed in an optimal way to ensure continuity of their lineage. The orange has segments which may hold individual seeds, while grapes grow in a bunch connected by the stalks. This his could be compared to a microservice architecture, such as Docker (packing containerized applications on a single node) or Kubernetes (running containerized applications across a cluster). Each fruit has its pros, cons, and uses, however the more fruit you want, the more difficult your life becomes. You need to understand the architecture of each fruit, and then go on to identify the best-practice for fruit combinations. You need to know the purpose and intent of each piece of fruit, and you need to locate a myriad of different fruits. This is manageable if there’s only one person purchasing and eating fruit for the company, but as soon as you add another personality – the situation evolves, in a negative way, and we haven’t even thought of the fruit bowl challenge. [boxlink link=""] SASE RFI/RFP Made Easy | Get the Template [/boxlink] The Fruit Bowl Challenge Every time you purchase a piece of fruit, you need to store it somewhere. This could be in the fridge, in a bowl, in a cupboard, or left in your car under the scorching sun. To purchase each piece of fruit, you may need to go to different shops, with varying levels of quality. Should you purchase a Jazz Apple or a Braeburn, a Clementine or a Satsuma? Once you’ve identified which specific type of fruit you want, where can you get it at the right price? Shop A may offer it at a lower price than Shop B today, but that’s a limited time offer. When you’re trying to maximise a constrained budget, the time investment required to ensure you purchase something of quality and longevity can be a moderately significant effort. Now, consider each piece of fruit is a component of your network. You want to purchase edge security, so you gather several vendors to check for bruises, blemishes, and pack-size. After making your decision on what to buy (after months of deliberation, RFPs, and proof-of-concepts), you then move to the negotiation stage with hundreds of distributors, resellers, or VARs. Finally, you close on the deal, and they send you a truck full of apples. It’s what you wanted right? I hope you have somewhere to store all those apples, because the clock is ticking, and they’re already starting to spoil. Turning Apples into Apple Pie So, you have your apples, you can see them, and you proudly gaze upon the mountain of fruit sat in your warehouse. You’ve spent a lot of money on these apples, and you’ve cashed in all your favours with your CFO to get the budget approved for this gargantuan upfront cost. Now the real work begins, as you need to prepare for the implementation, deployment, and creation of your apple pies (or firewall/site deployments, I’m sticking to the metaphor here!) The first thing you do is hire a group of people to move the apples into neat piles. Then you hire another group of people to come and peel the apples, as well as a disposal company to remove the packaging/peel that you no longer need. Once fully peeled and sliced, you then need a way to transport the prepared goods to the next location for processing – all of this is required even before your apples touch pastry. However, you accounted for this during your initial budget spend, and do not see it as a concern, until you notice that some of the fruit has already turned rotten. You need to contact the vendor to initiate a return (RMA), and this is where you notice problems. The Rotten Apple Problem “Your support contract on this apple has expired.” I personally used to work for an appliance (fruit) based company, and I had to tell customers this on an almost daily basis. People call Support for assistance as their sites may be down, or critical applications have been impacted by service outages and they need urgent P1 Support. However, if the customer had not actively maintained their Support contracts, then there is no legal obligation to assist resolve their problem. In fact, if the vendor operates on a ‘Support & Maintenance per device’ basis, it’s within their interest to actively withhold assistance until you pay the money to reinstate the contract. How many apples did you just buy? Did you take a Support contract out on every apple? Are you actively tracking the start and end-date of the renewal? Have you invested in administrative staff to ensure you have consistency of care? Will this vendor assist you with bruised apples, or does your contract only cover total losses? These are questions you should be asking yourself as you review the entire total cost of ownership for every single purchased asset. If you’ve amortized an apple over a 5-year period, do you think you’ll still be wanting the same apple 5 years from now? Your taste may have changed. Oh, and did you remember, currently you haven’t just purchased apples for your company. Life isn’t that simple. You’ve also purchased your grapes, peaches, plums, pears, bananas and more, because you want to maintain in complete control of your network using point products. How does this make you feel having to constantly maintain this supply chain? Your life has become confusing, and this all started because somebody originally said that you were ‘comparing apples to oranges.’ The Cato Solution We’ve been talking in metaphors during this article, but let’s drop the pretence and start talking directly. Today your network is most likely built with a series of different products built by a myriad of vendors. You have network firewalls, internet gateways, CASB engines, VPN concentrators, anti-malware engines, Intrusion Prevention Systems (IPS) and many more. Each of these products have been built by their vendors in the belief that they are the best in their own functional field, however to you as a consumer of products, you have a wide portfolio of products that you must learn (as well as maintain, update, and manage.) Dealing with these administrative tasks are likely not the reason you decided to get into IT, but here you are. Life doesn’t have to be this way. Cato Networks offers a truly converged service offering covering all aspects of Networking, Security and Access. The term ‘service offering’ is key, as we maintain, manage, and continually improve our service in the cloud, ensuring that you have the latest-and-greatest in networking and security coverage without having to lift a finger. Unlike product-based companies, you don’t have to have significant warehouse space to store hundreds of servers and appliances, you don’t need to worry about multitudes of service contracts, and best of all, you don’t need to worry about upgrading or patching (as this is done by Cato Networks.) How to Solve the Fruit Bowl Challenge with Cato So, in short, apples are great, and oranges are fine. But why limit yourself? What if I told you that you could have BOTH apples and oranges? What if I told you that you could get both using a single service subscription? What if I told you that we’re constantly growing our catalogue of SASE features and offerings, so you also get peaches, plums, pineapples, and pears at no extra cost? What if I told you that new fruit is being added every two weeks? Why limit yourself to just buying apples, when Cato can offer you every fruit under the sun, whenever you want it, all at the click of a button.