BlackBasta Blamed for Global Attacks on VMware ESXi ServersItaly, Germany, France, US and Canada Investigating Hacks of Unpatched Servers
The Italian cybersecurity agency says at least a dozen hacks against unpatched VMware ESXi servers in the country are likely tied to the BlackBasta ransomware group. Investigators say the ransomware campaign may have hit thousands of organizations worldwide since Thursday.
See Also: 2022 Unit 42 Incident Response Report
The first attack in Italy began Thursday in Rome against energy company Acea. The company, which generates and supplies electricity and supplies natural gas, has since restored the functionality of its IT systems, according to the Agency for National Cybersecurity, or ACN, speaking to an Italian news agency on Sunday.
The Italian ACN blamed BlackBasta for the attacks, and in a statement given to Italian publication Nova News, Acea confirmed the attack had been carried out by BlackBasta.
ACN did not provide more details on the BlackBasta activities other than that the group is actively targeting unpatched ESXi servers throughout the country.
BlackBasta is a ransomware-as-a-service organization that surfaced in February 2022, deploying double-extortion ransomware attacks against victims. It is believed to have its roots in the now-defunct Conti ransomware group, but BlackBasta code is novel and was rereleased in November with numerous updates aimed at evading antivirus and EDR detection.
The vulnerability tracked as CVE-2021-21974 is two years old, and it affects VMware's ESXi servers designed to run virtual machines. VMware released patches for the machines in February 2021.
According to ACN, the campaign is estimated to have targeted thousands of organizations across the world, including at least a dozen cases in Italy. The agency added these numbers could be far higher as some organizations may be unaware that they have been compromised (see: Massive Ransomware Campaign Targets VMware ESXi Servers).
The massive exploitation of the flaw was first flagged Friday by the French CERT, which said an unidentified ransomware campaign was using automated solutions for large-scale compromises.
Speaking to Information Security Media Group, a VMware spokesperson says a group that it dubbed ESXiArgs is behind the campaign. The company did not immediately respond to a request for comment seeking clarification if ESXiArgs is in fact BlackBasta or an affiliate.
The ACN advised vulnerable VMware ESXi users to immediately patch the flaw to avoid potential compromise, adding that attackers are now increasingly targeting vulnerable networks in France, Finland, the United States and Canada. Organizations also are advised to scan systems for the malware. Germany's cybersecurity agency, BSI, issued an alert on Monday.
Deep web monitoring firm DarkFeed tweeted on Monday that VMware ESXi ransomware attacks are continuing to spread globally and said the greatest number of cases are being reported from France. As of Monday, it says, there were 188 instances of compromise there, followed by Germany with 91 cases and the United States with 69.