The massive RSAWeb outage which plunged South African netizens into a cyber-darkness last week may have been linked to a global ransomware attack of staggering proportions.
Several RSAWeb clients were affected by the outage last week, including The Citizen, Moneyweb, Jacaranda, Maroela Media, 2OceansVibe, and others.
Service was restored to some clients on Friday, while others were still experiencing connection issues.
RSAWeb outage
On Sunday, RSAWeb CEO Rudy van Staden said in a letter addressed to the company’s customers that the cause of the recent service disruption was due to a “highly sophisticated cyberattack”.
RSAWeb’s “Cloud and Shared Hosting customers were particularly impacted by this malicious attack. Given the sophisticated nature of this attack the recovery process is highly complex”.
He said there was no reason to “believe that any customer or employee data was accessed or misused” as a result of the attack.
Global ransomware attack
Van Staden said RSAWeb was the victim of an “extremely capable and devious threat actor” that had resulted in outages across the globe, including South Africa.
The cyberattack, however, wasn’t confined to South Africa; it also brought Italy’s Internet to its knees on Sunday.
Telecom Italia, the country’s largest telecommunications company, experienced connectivity issues on yesterday which affected dozens of Italian organisations.
Italy targetted, other countries vulnerable
Stefano Zanero, senior professor of cybersecurity at Italy’s Politecnico di Milano confirmed the attack targetted a 2-year-old vulnerability in VMware ESXi servers “which should have been patched by now”.
He added: “But evidently many servers are still not protected.”
While the Italian National Cybersecurity Agency [1] confirmed most of the country’s Internet had been restored, it warned that France, Finland, the Netherlands, the US and Canada could be vulnerable to the next wave of attacks.
The ransomware variant called ESXiArgs allegedly exploits a vulnerability which VMWare identified and patched in 2021[2].
CVE-2021-21974 unpacked
According to National Vulnerability Database (NVD)[3], CVE-2021-21974 was an ESXi OpenSLP heap-overflow vulnerability first reported in 2021.
Patches for the vulnerability were made on 23 February 2021, as per a security advisory issued by VMware at the time.
A VMware spokesperson said “security hygiene is a key component of preventing ransomware attacks”, and urged customers who were running outdated versions to apply the patch.
Businesses not prepared
Meanwhile, Stephen Osler, Co-Founder and Business Development Director at Nclose, said it could take anywhere between “two weeks to months to recover from a devastating cyber or ransomware attack”.
Osler said many businesses aren’t prepared for an attack of this scale, adding that it could also result in the “potential loss of customer data”.
“Often in these types of ransomware attacks, it’s not just about the encryption of data systems; the attackers could also steal large volumes of data. That is obviously quite alarming, considering the POPIA act”.
South African outage: timeline
On 1 February, RSAWeb said the disruption affected key services, including Mobile APN, Cloud PBX (private branch exchange), FTTx (Fiber to the x), hosting, and VoIP (voice-over-IP) services.
At the time, RSAWeb said engineers were “prioritising the recovery of customer PBX’s to restore Business VoIP telephony services, with parallel efforts underway to restore Mobile APN and Cloud services”.
RSAWeb repeated the same updates throughout the week.
On Sunday, Van Staden said “given the sophisticated nature of this attack, the recovery process is highly complex”.
He said steps were immediately taken [on Wednesday] to contain and secure RSAWeb’s systems and to “determine the cause of this malicious attack”.
As of 10:34 on Monday, 6 February, engineers were restoring customer Cloud and Hosting services, while “onsite field engineers are making great progress with bringing customer PBX services back online”.
The Citizen reached out to RSAWeb and will update when feedback is provided.
Sources:
[1] CSIRT Italia
[2] VMWare security advisory
[3] CVE-2021-21974 database entry
