Cybersecurity, that’s why the flaw on ESXi systems is serious and urgent to defend

Listen to the audio version of the article

News about attacks and potential compromises of a vulnerability related to some VMware virtualization platforms has been bouncing loudly among the media and news headlines for a few days. Referenced as CVE-2021-21974 – it has been known for two years and affects three VMware platforms for virtualization of operating systems. In ascending order:
•ESXi 6.5.x versions prior to ESXi650-202102101-SG
•ESXi 6.7.x versions prior to ESXi670-202102401-SG
•ESXi 7.x versions prior to ESXi70U1c-17325551
The attack involved several countries; first France – whose CERT notified the event last Friday – then Italy, Finland and other countries. The campaign has clearly targeted systems that have been out of date for a long time, targeting the vulnerable surface of a service called the Service Location Protocol. The first recommendations for mitigating exposure to attacks have in fact suggested disabling this service in systems that have not yet been updated.
It must be said that updating infrastructure platforms for virtualization is often not a simple operation, due to hardware compatibility issues between versions and time-consuming planning.
The fact remains that the uproar that the news has unleashed in Italy has certainly been very, very high.
This was also due to a coincident event from a temporal point of view – but not referring to the same causes – which hit Sparkle’s Seabone backbone on Sunday, one of the 5 most important Internet networks in the world. The impact of a patchwork of outages, combined with the National Cyber ​​Security Agency’s re-launch of ESXi vulnerability news, has created a perfect storm effect and cyber-attack panic reactions across the nation.
It should be clarified immediately that the flaw on ESXi systems is serious and urgent for at least three reasons:
– affects a virtualization platform, therefore an infrastructure normally used to build even extensive series of potentially critical services
– if exploited with an exploit, it would allow the attacker to execute remote code, such as encrypt archives and ask for a ransom
– it appeared in the lists of known vulnerabilities two years ago, classified by the vendor as critical, therefore worthy of the utmost attention and urgency in the remedy
When a vulnerability becomes known, attackers have at their disposal real search engines such as Shodan or Zoomeye – specialized in identifying the exposed surfaces throughout the Internet given one or more vulnerabilities or services. It should therefore come as no surprise that cybercriminals periodically try to unhinge these flaws with actual large-scale attack campaigns.
What is worrying is that there has been news of the compromise of a few dozen systems in Italy, which means the presence of obsolete and outdated systems despite the seriousness and urgency mentioned! That means the absence of compensating controls implemented, if for whatever reason the updating of the systems was not possible! Which means the inability to monitor, detect, mitigate and neutralize an attack well before it reached its mission objective!
Facing remediation of a vulnerable surface without any context for prioritization is certainly as daunting a task as clearing a mountain with a snow shovel: doing so without an effective defense system that detects and mitigates any attacks while remediation is being planned is certainly impossible. .

* , Technical Director of SentinelOne