The website of Agenzia per la Cybersicurezza Nazionale (ACN), Italy’s national cybersecurity agency, became inaccessible on Monday, hours after it issued a global warning about a massive ransomware news attack.
Italy is facing a large-scale hacking attack that might spill over to thousands of computer servers globally, ACN issued a warning on Sunday, February 5.
The ACN director general, Roberto Baldoni, has warned organizations to take measures to secure their systems as the attack aimed to exploit a software vulnerability, reported Reuters.
The attackers are focusing on VMware ESXi servers that have not been patched against a remote code execution vulnerability that is two years old.
The aim is to spread a new type of ransomware called ESXiArgs. This vulnerability, known as CVE-2021-21974, results from a heap overflow issue in the OpenSLP service and can be easily exploited by unauthenticated attackers in low-complexity attacks.
In addition to Italy, servers in other European countries such as France and Finland, as well as the United States and Canada, have been impacted.
Many Italian organizations may have been impacted, with several others advised to take action to prevent being shut out of their systems.
Italy, ransomware attacks, and VMware
According to news agencies, the trouble began with ransomware attacks tapping a two-year-old computer vulnerability, with Italy facing the most damage at the time of publishing.
The Italian Premier’s office confirmed that the computer system attacks in the country utilized ransomware that was already in circulation in a product made by cloud technology provider VMware, reported AP.
A French cybersecurity agency’s technical bulletin from Friday indicated that the attacks targeted VMware ESXi hypervisors, which are utilized to monitor virtual machines.
“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” said the CERT-FR alert.
Despite the bug being fixed by VMware in February 2021, the attacks are focused on older, unpatched versions of the product.
The company advised its customers to apply the patch if they haven’t done so already and emphasized that security hygiene is crucial in preventing ransomware attacks.
To prevent incoming attacks, administrators must deactivate the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that have not been updated.
According to CERT-FR, the patch must be made as soon as possible and unpatched systems should be examined for signs of compromise.
The vulnerability affects the following systems: ESXi versions 7.x before ESXi70U1c-17325551, ESXi versions 6.7.x before ESXi670-202102401-SG, and ESXi versions 6.5.x before ESXi650-202102101-SG.
U.S. up in action after Italy alert
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the reported incidents of a global computer hacking attack, as alerted by Italy’s ACN, reported Reuters
CISA is working with both public and private sector partners to evaluate the impact of these incidents and offer support where necessary.
The agency has advised that any organization facing a cybersecurity issue should report it to either the FBI or CISA.
The ransomware attack coincided with widespread internet outages in Italy. However, it was unclear if the internet disruptions were related to the ransomware attacks, reported AP.
In recent months, attackers have been specifically targeting Italian brands. In November 2022, Vodafone Italy, a branch of the British telecom company, alerted its clients to a security breach after its reseller, FourB S.p.A., was hit by a cyber attack.
During the same period, Italian government departments and companies faced multiple attacks, reported The Cyber Express.
Additionally, the recent data leak from Italy’s 3P, which was posted on dark web forums, consisted of 25TB of information, including customer names, emails, phone numbers, postal codes, and country of residence.