VMware vCenter servers have been hit in a new attack which left them exposed and vulnerable by the hackers which allowed them to take over any unpatched machine and take over companies' entire networks. Mind you this is about 6,700 servers that are at risk.
A security firm for threat intelligence, Bad Packets is currently scanning all potential at-risk devices to report. This vulnerability targets a plugin in VMware vCenter, it's called vSphere Client (HTML5). These servers are vital to an enterprise that uses VMware as this server is a utility to manage VMware products installed on local machines.
This vulnerability was reported last year by a security firm Positive Technologies which discovered that an attacker could target the plugin's HTTPS interface and use malicious code to elevate privileges without the need to authenticate. Due to how vital this server is in managing other VMware products it was classified as highly critical and was reported to VMware.
It was hush-hush due to how many corporations use vCenter, so they took the time to test and make sure a patch can patch the bug. But a Chinese researcher decided to post the proof-of-concept about this vulnerability labeled as CVE-2021-21972, with this posted it denied companies any time to apply the patch.
Which resulted in a free for all for people to find any vCenter system that is still vulnerable and left online as hackers from different crews stepping over each other to get into these vulnerable systems. Then on top of that the exploit for the vulnerability was a one line cURL request.
In a Shodan query more than 6,700 VMware vCenter servers are still connected to the server and will be vulnerable till a admin patches it. VMware has taken this pretty seriously as this vulnerability has scored a 9.8 out of 10 and is trying to get customers to get their systems patched.
Ransomware gangs like Darkside and RansomExx been going after VMware systems and showed that gaining access to these systems are worth it for how much they can get an enterprise to pay up the ransom. A plus is Positive Technologies published a in-depth technical report on the bug which will allow Blue Teams to better defend their networks.