February 5. 2023 -Durt Fibo

This morning, Italy -which has long lagged behind other countries in transferring its governmental functions to a usable internet format- admitted that it is choking in the clutches of a “massive hacker attack,” chiefly among those very official networks. The news was released at the insistence of the Agenzia per la Cybersicurezza Nazionale (ACN: National Cybersecurity Agency), who say that they’ve found “several dozen probably compromised national systems and alerted numerous subjects whose systems are exposed but not yet compromised.” The attack is described as being “in progress.”

The weekend’s hack wave specifically targeted VMware ESXi servers, which is almost certainly part of a venture by Nevada Ransomware, and are using CVE-2021-21974 as compromission vector. The attacks are basically targeting ESXi servers in pre- 7.0 U3i, versions, likely through the OpenSLP port. By the end of last month (Jan. 2023), Resecurity’s cybercrime intelligence reporting decided the danger was so uncontained that it ran this warning: “On December 10th, 2022 the actor ‘nebel’ published a post describing the new project and then proceeded to invite new affiliates. The Nevada Ransomware offers very attractive and competitive conditions – 85% (to partner) with a further increase to 90% assuming further progress. Notably, the actors also acquired compromised access for further development besides being ransomware developers. Based on our current assessment, they have a team performing post exploitation to develop the initial point of compromise into full blown network intrusion to achieve maximum damage.”

The first to publicly admit the hack attacks was France (at the beginning of this month), due to the immense number of infections recorded on systems in that country, and other nations quickly followed, with today’s estimate of infected servers hovering in the thousands globally, including Italy, Finland, Canada and the USA. Instances accounted for just this weekend in Italy amount to “dozens,” which experts state will continue to increase The exploitation of the vulnerability, the ACN explained, “allows in a subsequent phase to carry out ransomware attacks that encrypt the affected systems making them unusable until a ransom is paid for the decryption key”.