Cyber criminals are searching the internet for unpatched VMware vCenter servers that are vulnerable to a serious remote code execution bug that was fixed at the end of last month.
Bad Packets discovered the continuous behavior, which was validated by security researcher Kevin Beaumont.
Mass scanning activity was observed from 126.96.36.199 checking for VMware vSphere hosts vulnerable to remote code execution, according to Troy Mursch, chief research officer at Bad Packets.
The RCE exploit code for the VMware vCenter vulnerability has been released as a proof-of-concept (PoC).
The vulnerability, identified as CVE-2021-21985 (CVSS 9.8), is caused by a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be exploited by a threat actor to execute commands with unrestricted privileges on the underlying operating system hosting the vCenter Server.
Despite the fact that VMware fixed the bug on May 25, users are strongly advised to make the emergency change right away.
“In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” VMware said.
Malicious actors have previously used opportunistic mass scanning to look for vulnerable VMware vCenter servers on the internet.
In order to exploit and take control of unpatched systems, a similar remote code execution vulnerability (CVE-2021-21972) that was patched by VMware in February was targeted.
According to Bad Packets and Binary Edge, at least 14,858 vCenter servers were reachable over the internet at the time.
Furthermore, according to a new Cisco Talos report released earlier this week, the threat actor behind the Python-based Necro bot wormed its way into vulnerable VMware vCenter servers by exploiting the same security flaw to increase the malware’s infection dissemination capabilities.
Original source: THN