Monday 13th February 2023

Cyber Threat Intelligence Weekly Update: 10th February 2023

ESXi VMware servers targeted in global ransomware campaigns

This week we reported on several instances of cybercriminal groups targeting ESXi VMware servers with new ransomware variants in widespread campaigns affecting thousands of servers globally.

This week we reported on a new ransomware strain tracked as ESXiArgs was deployed to around 3,200 VMware ESXi servers globally following numerous campaigns exploiting a heap-based vulnerability in OpenSLP tracked as CVE-2021-21974 (CVSS: 8.8| OVSS:100). The CVE enables remote code execution in various older ESXi versions.

Despite the number of compromises, it appears that the deployment of ESXiArgs ransomware was largely unsuccessful as it failed in many cases to encrypt flat files where data for virtual machines is stored. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) released a recovery script on 7 February 2023 enabling organisations that fell victim to ESXiArgs to potentially retrieve encrypted data.

Subsequent reporting on 8 February 2023, however, suggests that the threat actors behind ESXiArgs have released an update addressing these limitations, with the newer variant capable of encrypting more data on virtual machines in a way that cannot be recovered by the existing CISA script.
A new Royal ransomware variant recently identified has also been observed targeting VMware ESXi virtual machines, bringing their capabilities in line with other cybercriminal threat actors such as AvosLocker and Black Basta. These cases highlight a broader trend amongst ransomware operators towards targeting virtual machines with groups such as LockBit beginning to offer versions capable of encrypting ESXi servers in January 2022.


A wave of phishing campaigns impersonates the Ukrainian telecommunications company Ukrtelecom to deploy the remote access software Remcos. Russian-linked Nodaria is using a new info-stealer called ‘Graphiron’ to steal data from high-profile Ukrainian organisations.

A backdoor login mechanism in Toyota’s supplier and information  management system GSPIMS allows unauthorised access as a valid user or supplier by knowing only their email. UK-based molten metal flow engineering company Vesuvius disclosed that its networks have been compromised. Semiconductor equipment maker MKS Instruments is investigating a ransomware event that impacted its production-related systems.

Malware Development:
Cybercriminals use Telegram to bypass ChatGPT security restrictions to generate malicious content such as phishing emails and malware. New threat actor TA886 targets organisations in the United States and Germany with new custom malware to perform surveillance and data theft on infected systems.


Subscribe below to receive the full version.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.