Since yesterday, as you may have heard in the last few hours, a campaign of type cyber attacks has been underway ransomware to the detriment of some servers based on old versions of the VMware virtualization suite, especially the ESXi component/service. It’s a fairly common attack, but not an exaggerated one; and above all it seems to have limited repercussions for the general public (to understand, it has not caused the blocking of widespread services such as WhatsApp or Facebook).
Yet, for some reason, it seems to have captured the interest of the general press, especially the Italian one, which reported it in rather intense tones. With this little insight we try to better understand the causes, diffusion and consequenceswith a dutiful warning: the situation is still evolving so that some details could change in a relatively short time.
THE BASICS: SHORT GLOSSARY
Before delving into it, it is worth spending a few words on some technical terms, without going too far. A short review or a smattering for those who are not very familiar.
- VM or virtual machine or virtual machine. It’s basically the idea of running an operating system inside another operating system, almost as if it were an application. For example, it may happen that you need to run a Linux environment on your Windows computer, or a Windows environment on a Mac, to launch particular applications and games that are not available natively. In a corporate/enterprise environment it is an extremely popular system for server control. Essentially
- hypervisors. It is an application specially designed to control, manage and monitor multiple virtual machines. It runs at the operating system level of the native machine.
- ransomware. They are particular types of computer attacks that have spread in the last period. Basically, a software is loaded and executed in the compromised system which encrypts all the files of the system, organizes them in password-protected archives and then asks the user/owner of the system for a ransom (generally in cryptocurrencies) to obtain this password (and therefore recover files).
As we told you this morning, vulnerability is distinguished by the initials CVE-2021–21974; the acronym clearly implies that it was discovered in 2021. It concerns the VMware ESXi software, which is a specific component of the American company’s virtualization enterprise software suite.
In particular, ESXi is a hypervisor – in fact one of the most widespread in the world. A very specific port, 427, of the OpenSLP component is targeted; by sending it a specific type of data it is possible to cause a heap overflow error, which basically allows you to execute code remotely bypassing the security/authentication measures. If you are interested in learning more about this very specific aspect, the colleagues of Bleeping Computer they made an extremely detailed article which analyzes the attack almost line by line of code.
As we said, e simplifying to the extreme, a virtual machine is in fact an application; it doesn’t work differently from Word, say, only that instead of opening text documents it works with container files, in which all the files of an operating system are present. Ransomware encrypted these container filesand demanded a ransom to “free” the files.
The attack was quite widespread, but it is correct to give a slightly more precise and defined dimension to the generic and often rather hyperbolic terms which have been seen above all in the Italian press. According to updated-more-or-less-real-time data from Censys, they amount to just over 1,800; the vast majority (almost 800) are found in France, followed by the USA and Germany with about 250 each. As far as Italy is concerned, we are at 17. The numbers are still growing, but the wave is slowing down
Precisely establishing how many servers there are in the world – or even just in Italy (attention, not data centers: single servers!) is almost impossible, but we can say with a certain level of certainty that it is an extremely minor share of the total. An analysis, however, of the servers at riskie with old and incorrect versions of VMware ESXi, returns much higher figures – about 70,000 systems.
” IT WAS ENOUGH TO UPDATE ”
A fundamental detail of the whole matter is that a corrective patch was distributed almost immediately after the vulnerability was discovered. In concrete terms, it would have been enough to keep the software components of the server up to date to avoid this latest wave of attacks. But in some cases it was not done, and the usual controversy on the subject was promptly rekindled. The fact is that behind that “it would have been enough” hides one of the most difficult skeins to unravel in the entire IT sector.
Summing up. Applying an update to a network of servers or virtual machines is a little more complicated than doing it on a smartphone; especially since the implications are broader. Not all patches, unfortunately, “succeed with the hole”and if one of them introduces a critical bug that renders the system unusable maybe an entire company is paralyzed – employees can’t work and production doesn’t move forward.
There are systems, controls and procedures to avoid, or at least try to avoid, such scenarios, but they are costly in terms of time, effort and money. It’s largely detective work, which by nature is not an exact science, very complex with a great many factors at play, including the astuteness/motivation of the staff, the tools at their disposal, and time. And many of these parameters vary, as you can imagine, according to the amount of money available.
But it’s not just a matter of applying the patch or not. Several industry experts are wondering how so many vulnerable servers could be found. It seems quite clear that the IP addresses of the hypervisors were public and that there was no protection of port 427, which however is not generally open as it is dedicated to common and widespread services. In short, it is easy to imagine that firewall and server network configuration affected had been very crass and sloppy, assuming firewalls were in place.
AND NOW WHAT DOES IT DO?
For those who have already been affected, there are few alternatives: pay, start from scratch or restore. The first two are self-explanatory, the third provides for the existence of a plan for the so-called “disaster recovery” – trivially we generally talk about backups on external systems/media that allow you to recover at least a large part of the data, hopefully, depending on how often they are performed.
For those who haven’t been affected yet (it’s worth noting that infection attempts are still ongoing at the moment), well, the tools to secure the systems are all thereand they are many: you can update the software, you can correctly configure a firewall and more generally the network (for more specific details, aimed purely at professionals in the sector, you can go to HERE). The hope is that now that the news is spreading, everyone will run for cover; it is less realistic to hope that at least this time the lesson that “prevention is better than cure” has been learned, given that it has been repeated more or less every time disasters (not necessarily computer ones) have occurred for decades now.
As for us end users, there is very little to say: it could happen that some services or platforms are not available, or that they have limited / intermittent functionality. But, let’s be clear, nothing too big: in fact, in this regard it is worth noting that the TIM disservices of the last few days are not related to the accident.
THE GOVERNMENT NOTE
There note released today by the Government confirms that the attack has not compromised any institution or primary company operating in critical sectors:
With regard to the hacker attack that occurred on a global scale, the meeting held this morning at Palazzo Chigi, coordinated by the Undersecretary with the delegation for Cybersecurity Alfredo Mantovano, with Eng. Roberto Baldoni and the amb. Elisabetta Belloni, served to verify that, despite the seriousness of the incident, in Italy no primary institution or company operating in critical sectors for national security was affected.
The results of the first investigations also lead to the exclusion that the attack may have been carried out by a hostile state. This would be the action of cybercriminals who want to get rich by paying the ransom,
During the first reconnaissance activities carried out by ACN-National Cybersecurity Agency, together with the Postal Police, no evidence emerged that lead to aggression by a state entity or similar to a hostile state; instead it is likely the action of cybercriminals, demanding the payment of a ‘ransom’.
Thank you for reading this post, don't forget to subscribe!