VMware vCenter servers are being scanned at high rate due to a newly discovered vulnerability which allows threat actors to infiltrate unpatched devices and control company networks.

The vulnerability listed as CVE-2021-21972 has a Common Vulnerability Scoring System (CVSS) score of 9.8. The remote code execution vulnerability affects a plugin of VMware VCenter called vSphere Client. This plugin is a server used in enterprise networks as a management tool where IT personnel control VMware products on employee machines.

Since VCenter servers control many different machines within networks, the vulnerability is issued with high criticality. Thereat actors can exploit the vulnerability easily since it’s only a one-line cURL request. 6,700  VMware VCenter servers are connected to the internet which means they’re all vulnerable until system administrators can successfully apply VMware’s patches.

The researchers at Positive Technologies who discovered the vulnerability in October 2020 wanted to quietly notify those using it to patch. Unfortunately, an independent researcher published proof of concept (PoC). This allowed threat actors to discover the vulnerability, and in turn, scans for the unprotected servers skyrocketed.

How to patch:

VMware has issued official patches for all vulnerable versions.

VMware has also listed two other products, VMware ESXi and VMware Cloud Foundation, which have been impacted.

VMware’s ESXi was targeted last year by RansomExx, Babuk Locker, and Darkside ransomware, so it is apparent threat actors are looking to take control of servers with connection to many different networks as they can spread their ransomware to more than one victim at a time.

When a vulnerability like this is discovered, the engineers in our 24/7 Security Operations Center are working to patch them on any client networks immediately. Even if the patches were not completed before threat actors infiltrated networks, our ShadowSpear® Platform would block any malicious executables attempting to run on machines, and ShadowSpear® would neutralize threats by isolating the host ensuring the spread to other portions of the network is not possible.

Three modules make up the ShadowSpear® Platform and work cohesively to stop cyber threats for any organization in any industry.

Identify has cloud SIEM capabilities and provides custom dashboards, queries, and filters in one place for easy viewing.

Neutralize equips organizations with next-gen antivirus and a Security Operations Center waiting to respond to threats. It instantly prevents advanced malware and exploitation techniques on deployment.

Counter gives our Security Operations Center the ability to react to threats with one of the quickest response times in the industry. Counter also collects forensic artifacts, executes response scripts and isolates hosts, which is a surefire way to combat criminal adversaries.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.