The Resurrection of CVE-2021-21974: The Ransomware Attack on VMware ESXI Hypervisors that Doesn’t Seem to Go Away

Listen to post:
Getting your Trinity Audio player ready...

An old vulnerability has recently been making waves in the world of cybersecurity, and that is the catchily named CVE-2021-21974. The ransomware attack that exploits a vulnerability in VMware ESXi hypervisors, has reportedly hit over 500 machines this past weekend. Shodan data indicates that many servers were initially hosted in the OVHcloud, but the blast radius appears to be constantly expanding.  

So serious is the outbreak that it has  gained the attention of CERT-FR (the French government center for monitoring, alerting and responding to computer attacks), which has issued an advisory warning of the vulnerability. This is the first advisory of 2023, only proceeded by a Fortinet SSL-VPN issue which was announced in December 2022. 

But the biggest problem is that the CVE was originally issued two years ago when researchers at Trend Micro discovered and reported the vulnerability to VMware! That’s two years where organizations didn’t patch and upgrade their servers to mitigate against this vulnerability.  

Why is CVE-2021-21974 a concern?

The researchers discovered that vCenter Server, the centralized management platform for VMware, was susceptible to an attacker executing arbitrary code with privileged levels of access. The vCenter Server is the beating heart of a company’s virtual infrastructure. It’s the place where administrators go to manage virtual machines, networks, storage, and more.  

By exploiting this vulnerability, an attacker could potentially gain access to sensitive information, disrupt operations, and cause significant damage to an organization’s virtual infrastructure. While VMware took steps to address this exploit, it required manual intervention on behalf of administrators to install and deploy the fix. 

How does this exploit work, and how can you stay protected? 

This exploit follows the traditional hallmarks of the ransomware attack chain. Let’s walk through what that looks like for enterprises with and without Cato:  

Step 1) Initial access 

Without Cato: 

Legacy networks provide users with access to the complete network. As such, attackers have a wide range of attack vectors to gain initial access to the network and then to move laterally and attack the VMware vCenter Server. Vectors include phishing attacks, network intrusion, or exploitation of another vulnerability.  

With Cato:

Cato implements a zero-trust access model, which restricts a user’s resource access and decreases the attack surfaces. It’s no longer sufficient for attackers to gain initial access to the network. They must gain access to a user or machine with access to vCenter vServer. Cato’s ZTNA includes constant device and user assessment, user access control and posture checks to ensure that initial access is not possible. If someone attempts to click on a phishing link, Cato’s SWG and FWaaS can detect, block, and log this connection – ensuring that your perimeter always remains secure. 

Step 2) Exploitation 

Without Cato: 

The attacker exploits the vulnerability in the vCenter Server by sending a specially crafted request to the server. This request contains malicious code that the attacker wants to execute on the vCenter Server. Sometimes this is done via vulnerability chaining (using one vulnerability to expose another), while other times you just focus on a single exploit. 

With Cato: 

Should an attacker gain access to a machine with access to the vCenter vServer, exploiting the vulnerability will still be impossible. Our security engines, including our IPS, identify and block the malicious code before the server can even be compromised. To be clear, even though the server has not yet been patched and, in theory, would be vulnerable, Cato mitigates the attack surface area without you having to do anything. And, yes, Cato does protect against CVE-2021-21974. We have for years. 

Step 3) Code execution: 

Without Cato:

Upon receiving the request, the vCenter Server processes the request, which then causes the malicious code to be executed on the server. This allows the attacker to execute arbitrary code with the privileges of the vCenter Server 

With Cato: 

This phase is bypassed, as we have blocked the attacker from gaining access to the network, as well as blocking any malicious traffic. In the rogue event that a machine was compromised with ransomware while not being protected by Cato, our converged security solutions would prevent the lateral movement of malware throughout your network (north/south and east/west) while also providing an insight into this risk within the Cato Management Application. 

Step 4) Data theft or disruption 

Without Cato: 

The attacker can now access sensitive information stored on the vCenter Server or disrupt operations within the virtual infrastructure. The attacker could potentially steal sensitive information, disrupt virtual machines, deploy ransomware or even completely shut down the virtual infrastructure. 

With Cato: 

Information is secure as Cato has stopped every step of the attack lifecycle prior to this stage. However, if someone has compromised a device in a way that hasn’t been caught, Cato’s DLP capabilities will prevent exfiltration and theft of sensitive information.  

Rapid CVE Mitigation by Cato Security Research | See Selected Critical CVEs

What’s your choice? 

This CVE is one of thousands which appear in the cybersecurity landscape every week, against hundreds of vendors. If you’re a network or security practitioner who’s responsible for managing a large stack of servers, which option would you choose to ensure your network doesn’t get breached? 

Do you want to spend a large portion of your life chasing patches and securing vulnerabilities, deploying packages and making sure every hole of your leaking ship has been plugged? 

Or should you adopt a converged stance for networking and security, and allow Cato Networks to protect you at each step of the attack cycle with minimal involvement required? 

I know which option I would want…. 

To learn more about CVE-2021-21974 and other goodies, check out this episode of CyberTalk, our video series dedicated to raising cybersecurity awareness everywhere. 

Related Topics