VMware

Are Your ESXi Hosts Exposed? A Change in VMware’s Support Policy Means They Won’t Be for Long.

As I sit here writing this blog post, I am reminded of a previous post I made back in February 2021, titled “Is Your VMware vCenter Publicly Available?” It seems that two years later, the topic is still relevant, as another widespread ransomware attack has targeted publicly available ESXi hosts. This time, the attack is called ESXiArgs and is using a vulnerability that was patched two years ago (CVE-2021-21947).

The attack is targeting ESXi hosts that are accessible over the internet, and it’s important to note that this vulnerability is not limited to publicly available hosts. Any internal client that can access your hosts could potentially be an attacker as well. In fact, it’s crucial to remember that there is no valid reason why your VMware vCenter or ESXi hosts should be accessible over the internet, as I stated in my previous post.

The same technique and vulnerability used in this attack can be found on the inside of your perimeter firewall, making it essential to take action to protect your infrastructure. It’s not just about patching the vulnerability, but also about limiting access to your ESXi hosts and vCenter server.

In my previous post, I emphasized the importance of keeping your ESXi hosts and vCenter server behind a firewall and only accessible by non-admin clients in your local network. This is still relevant today, as it’s crucial to limit access to your infrastructure to prevent attacks like this one.

Moreover, it’s important to note that even if you have patched the vulnerability, it’s still possible for an attacker to exploit other vulnerabilities in your infrastructure. Therefore, it’s essential to regularly assess and update your security measures to protect against evolving threats.

In conclusion, the recent ESXiArgs ransomware attack serves as a reminder of the importance of keeping your VMware vCenter and ESXi hosts secure. It’s crucial to limit access to your infrastructure and regularly assess and update your security measures to protect against evolving threats. Remember, there is no valid reason why your ESXi hosts or vCenter server should be accessible over the internet, so take action now to secure your infrastructure.