Cyber Attacks on VMware ESXi Servers, Sharp HealthCare, Regal Medical Group, and Southeast Colorado Hospital District

The French Computer Emergency Response Team (CERT-FR) issued a warning regarding a persistent ransomware campaign attacking VMware ESXi hypervisors without patching against the critical heap-overflow vulnerability monitored as CVE-2021-21974.

VMware released a patch on February 3, 2021, to resolve the vulnerability; even so, hundreds of VMware ESXi virtual machines remain vulnerable to the exploit and are under attack. The vulnerability impacts the Open Service Location Protocol (OpenSLP) service. An unauthenticated attacker can
exploit this vulnerability in a low-level attack to wirelessly implement code.

As per CERT-FR, the ransomware targets ESXi hypervisors in version 6.x and earlier versions to 6.7 via OpenSLP port 427. A warning is given for the following versions as they are vulnerable to the exploit:

  • ESXi 7.x versions prior to ESXi70U1c-17325551
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG

CERT-FR presented a workaround in the notification for any entity that is unable to use the patch. However, CERT-FR still recommends patching to deal with the problem. CERT-FR has cautioned that patching the vulnerability or using the workaround isn’t enough to safeguard against attacks, since the vulnerability could actually have been used to send malicious code. Following the use of mitigations, system scans must be done to identify indications of compromise. VMware stated the attacks entail a new variant of ransomware called ESXiArgs, which adds the .args extension to the encrypted files. Although it is not yet confirmed, there seems to be no data extraction involved during the attacks, just file encryption.

Around the weekend, security researchers had reported the attack on hundreds of machines, in what seems to be programmed or semi-automated attacks taking advantage of the vulnerability. More than 500 machines were known to have been attacked last Sunday. Today, the statistics indicate attacks on over 3,200 servers. OVHcloud consumers are the most impacted, even though attacks are currently more extensive and are striking on clients of other hosting firms. OVH released security information on Friday cautioning customers regarding the campaign and encouraging them to use the patch right away. Although the attacks seemed to focus on vulnerable VMware ESXi hypervisors in Europe initially, the attacks today are more extensive and SingCERT in Singapore has already given a notification cautioning about the ransomware campaign, which involved attacks in the U.S. and Canada.

There were reports that ransomware gangs are also targeting previous versions of VMware ESXi hypervisors, though VMware states the vulnerability is limited to versions after 6.x and 7.x. That may show CVE-2021-21974 isn’t the only vulnerability being targeted. What is obvious is a number of ransomware groups have launched Linux variations of their ransomware particularly targeting ESXi hypervisors. The Royal ransomware group is one of the most recent to have a Linux version of ransomware for attacks on ESXi.

Ransomware Attack on Regal Medical Group

The Regal Medical Group based in San Bernardino, CA is an affiliate of the Heritage Provider Network. It just reported that it encountered a ransomware attack resulting in difficulty accessing the records on December 2, 2022. Third-party cybersecurity professionals helped investigate the incident and carry out appropriate breach responses. It was confirmed that malware was employed for encrypting files located on a few of its servers.

According to the forensic investigation, the attackers acquired access to the servers on December 1 and extracted files prior to deploying the ransomware. The analysis of those files confirmed they included the protected health information (PHI) of patients of Lakeside Medical Organization, Regal Medical Group, Greater Covina Medical, and ADOC Medical Group. The files comprised data like names, telephone numbers, addresses, birth dates, diagnosis and treatment data, lab test results, medication information, radiology reports, Social Security numbers, and health plan member numbers.

Regal Medical Group stated more security measures were put in place to avert more attacks and offered the impacted persons free 12-month membership to the Norton LifeLock credit monitoring service. The incident report has been submitted to the HHS’ Office for Civil Rights, however, it is still not displayed on the HHS breach website. Therefore, the number of affected patients is still uncertain.

Email Account Breach at Southeast Colorado Hospital District

Southeast Colorado Hospital District has discovered a breach affecting one email account. It detected the security breach on December 6, 2022. The forensic investigation confirmed that an unauthorized third party accessed the account on several occasions from November 23 to December 5.

Southeast Colorado Hospital District looked at all email messages and attachments inside the account. It was confirmed that the PHI of 1,435 patients were compromised. Impacted persons had at least one of these types of data compromised: Name, driver’s license number, Social Security number, birth date, medical treatment or diagnosis data, and/or medical insurance data.

The affected individuals received notification letters on February 3, 2023. Those who had their driver’s license numbers or Social Security numbers
exposed also received offers of free credit monitoring and identity theft protection services.

Cyberattack on Sharp HealthCare Web Server and Patient Data Theft

Sharp HealthCare based in San Diego has just informed more or less 63,000 patients that their personal data and PHI were potentially stolen during a cyberattack on its web server. It discovered the cyberattack on January 12, 2023, and quickly took down the web server while investigating the incident. A third-party digital forensics firm conducted an investigation and found out the nature and extent of the breach. An unauthorized third party was able to access the web server that runs the sharp.com site for a couple of hours on January 12. At that time, the third-party exfiltrated a file containing patient information.

Sharp HealthCare mentioned that the attacker did not get access to the FollowMyHealth patient website. No highly sensitive data was compromised or stolen. The attacker did not access or steal financial details, contact data, birth dates, Social Security numbers, medical insurance data, or medical data. The impacted persons had visited the site before and paid medical expenses on the internet from August 12, 2021 to January 12, 2023. Sharp HealthCare stated that the data in the stolen file differed from one patient to another and included names, internal ID numbers, amounts of payment, invoice numbers, and the names of the Sharp HealthCare facilities that got payments.

The healthcare provider sent notification letters to the 62,777 impacted persons on February 3, 2023. No credit monitoring services are provided because the stolen information is limited. Sharp HealthCare stated that there was no report received regarding actual or attempted patient data misuse. But as a safety precaution, those affected by the incident must check the statements sent by their healthcare providers. They should file a report in case there are transactions for healthcare services they did not receive. Sharp HealthCare mentioned the upgrade done on the security tools used on its website to avoid the same breaches in the future and constantly monitors its IT systems for suspicious activity.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.