The vulnerabilities were exploited by a large gang of ransomware who decided to take advantage of vulnerabilities in the VMWare ESXi product that develops virtual machines in corporate environments in order to encrypt their virtual hard drives.
The vulnerabilities of CVE-2019-5544 and CVE-2020-3992 affect the Service Location Protocol (SLP) included in VMware ESXi, which is used by devices on the same network to identify each other.
The ESXi instances that are commonly reported on the VMWare vCenter server, even if the attacker fails to put it at risk, allow it to send malicious SLP requests to an ESXi device and control it.
The RansomExx gang claimed responsibility for last year’s attacks on encrypted virtual hard drives. The team exploited a vulnerability in a corporate network device to attack local ESXi instances, upsetting the company.
Only the RansomExx team (also known as Defray777) appears to be responsible for the attacks, while system administrators in VMWare ESXi-based companies recommend disabling SLP support and making the necessary ESXi updates.