Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Server Hack. Show all posts

Atlassian Warns of Critical Confluence Vulnerability Resulting in Data Loss

 

Just weeks after state-backed hackers targeted its products, Australian software giant Atlassian has warned of a critical security flaw that could result in "significant data loss" for customers. 

The company issued an advisory this week urging clients to patch against the vulnerability affecting on-premise versions of Atlassian Confluence Data Centre and Server, a frequently used collaborative wiki system used by enterprises to manage and share work. This item was recently the target of Chinese state-sponsored hackers, who compromised a "handful" of Atlassian customers by exploiting a separate 10.0 maximum-rated vulnerability. 

This most recent vulnerability has been classified as an "improper authorization vulnerability." It is tracked as CVE-2023-22518 and has received a rating of 9.1 out of 10 on the vulnerability severity scoring system. According to Atlassian, "significant data loss if exploited by an unauthenticated attacker" could result from it. 

There is "no impact to confidentiality as an attacker cannot exfiltrate any instance data," according to Atlassian, which stated that as of October 31, there had been no reports of active exploitation. Additionally, this vulnerability does not impact sites hosted on the Atlassian Cloud that are accessible through an atlassian.net domain. 

The Atlassian CISO, Bala Sathiamurthy, stated in the company's advisory that customers need to take “immediate action” to protect their instances even though the flaw isn’t being actively exploited yet. 

Attention must be given immediately to all publicly accessible versions of Confluence Data Centre and Server, as they "are at critical risk." If administrators are unable to promptly upgrade to a fixed version, Atlassian has advised them to implement temporary mitigations. 

"Until you can patch, instances that are accessible to the public internet, including those that require user authentication, should be restricted from accessing external networks," the company stated. 

The video messaging startup Loom is set to be acquired by Atlassian for $975 million, the company noted earlier this month. For its platform, particularly Jira and Confluence, the company stated that it believes Loom can be a helpful collaboration tool.

Johnson Controls Breach Allegedly Leaked Sensitive DHS Data

 

A king-sized ransomware attack that targeted Johnson Controls forced certain parts of its IT systems to go offline and disrupted some of its operations. The attack on the renowned manufacturer of industrial control systems is reportedly the work of the Dark Angels hacker group. 

According to BleepingComputer, which broke the story first, the ransomware group is demanding $51 million in exchange for a decryptor and a complete wipeout of stolen data. 

As part of the hack, the company's ESXi servers were allegedly encrypted and some 27 terabytes of data were stolen by the digital hijackers. 

Theft of DHS data? 

The data hoard's potential exposure of private Department of Homeland Security (DHS) information, including physical floor plans of some agency buildings and security details on contracts with third parties, is of particular concern, CNN reported.

According to an internal DHS email reviewed by CNN, uncertainty exists around whether the Dark Angels or other digital hackers have taken control of Johnson Controls' private information. 

“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo stated. “We do not currently know the full extent of the impact on DHS systems or facilities.” 

Researchers believe that the ransomware employed in the attack is essentially an identical RagnarLocker Linux ransomware designed in 2021. In an 8K regulatory filing with the Securities and Exchange Commission (SEC), Johnson Controls stated that while some of its systems had been attacked by ransomware, many of its applications "remain operational." 

In the repair process, Johnson Controls' insurers are collaborating with external cybersecurity experts, perhaps managed security service providers (MSSPs), and possibly forensics experts. The attack commenced at the company's Asia offices and then extended to its subsidiaries. The cyber attackers reportedly launched the infiltration last weekend.

Statement from Johnson Controls 

Johnson Control reported in an 8K filing that the incident is expected to continue to hinder certain parts of the company's business operations: 

"Johnson Controls International plc (the “Company”) has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident. Promptly after detecting the issue, the Company began an investigation with assistance from leading external cybersecurity experts and is also coordinating with its insurers. 

The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. " 

At this time, it's unclear whether Johnson Controls will be able to announce fourth-quarter and full-year fiscal year results, as well as the financial impact of the attack.

Here's Why Cybercriminals are Targeting Linux Operating Systems

 

Internal strife is common among ransomware gangs. They argue, they fight, and they establish allies only to rapidly break them. Take, for instance, the leak of malware code from Babuk, which was compromised in 2021 by hackers enraged at being duped by the infamous ransomware gang. 

The outcomes of this intramural warfare are frequently fruitful for cybersecurity experts. Ten other ransomware gangs used the code to attack VMware and ESXI servers after that, and a number of versions were produced that researchers have been busy updating ever since. 

However, what made this particular family of malware noteworthy was that it specifically targeted Linux, which has quickly become a favourite of developers working on creating virtual machines for cloud-based computer systems, hosting for live websites, or IoT devices. With an estimated 14 million internet-facing gadgets, 46.5% of the top million websites by traffic, and an astounding 71.8% of IoT devices using Linux on any one day, its use has increased significantly in recent years. 

That's excellent news for advocates of open-source software development, for whom Linux has always served as an illustration of what can be accomplished when coding communities work together without being constrained by anything as odious as a corporate culture or a profit motivation. 

It's also really alarming for some cybersecurity specialists. Not only is there a significant dearth of ongoing research into the security of Linux-based systems in comparison to those based on more mainstream operating systems, but there is also no official, overarching method for patching the vulnerabilities in this OS. Instead, as befits an open-source product, 'flavours' of Linux are patched on an ad hoc basis by developers with time and intellect to spare - a valuable resource in the face of a real tsunami of cybercrime. Attackers are taking note. AtlasVPN discovered over 1.9 million new malware threats last year, representing a 50% rise year on year.

Shifting trend 

It wasn't always like this. Bharat Mistry recalls a time when hackers were more interested in cracking open old Windows computers. "I believe cybercriminals stayed away because they believed the popularity wasn't there," says Trend Micro's technical director for the UK and Ireland. Linux had a reputation for being secure by design, with reduced default access levels and other characteristics designed to hinder the easy spread of malware. "But over the last six years, certainly with cloud usage, it's [usage has] exponentially grown," says Mistry, increasing the amount of possible vulnerabilities. 

According to Mistry, this is largely due to the fact that it offers a cheap and cheerful alternative to the dominant OS brands, with many different flavours of unlicensed Linux accessible. "When you look at things like web servers that are hosted in the cloud, [why] should I pay for a Windows licence?" Mistry asks, speaking from the perspective of a savvy, money-conscious company. A Linux alternative is "as cheap as chips and does exactly what I need it to do." I can install Apache on it... and have the performance I want without the extra cost." 

Unfortunately, if an operating system is designed and maintained according to open source principles, hackers looking to exploit it can simply source it on GitHub and other software forums. Ensar Seker, for one, is concerned about the consequences for the use of virtual machines (VMs) in the cloud. "Virtual machines often lack the same level of security monitoring as physical systems, making it easier for attackers to go undetected for a longer period of time," says the chief information security officer at digital risk protection platform SOCRadar. 

The fact that the vast majority of software on IoT devices is based on Linux should also be cause for concern, according to the researcher, especially considering the rate of development expected for the smart device market over the next decade. More concerningly, Mistry continues, "we're seeing Linux being used more and more in critical systems," owing to how easy it is to branch and customise variants of the OS to suit particular jobs compared to its mainstream counterparts.

Given hackers' access to the source code of the operating system, malware designed to break open-source versions of these systems is frequently created to a higher standard than its Windows-targeting counterparts. It's also popular among a wide range of cybercriminal gangs. Tilted Temple, a Chinese cyber group, has utilised Linux-based malware to infiltrate important national infrastructure on three continents. 

Major players in the cybercriminal underworld, such as Black Basta, Lockbit, and Hive, have all been identified as deploying targeted Linux-chomping malware to breach online infrastructure. Another such gang, RTM, has been found on dark web forums as trading in harmful, Linux-targeting software. 

It's unclear how prepared cybersecurity providers are for this new threat. After all, until recently, these companies spent far more time fixing vulnerabilities in more widespread operating systems. Far fewer have investigated how vulnerable Linux systems can be to hacking - a squandered opportunity, according to Mistry. "Everyone's been so focused on Windows over the last few years because it's been the predominant operating system that all enterprises use," he explains. "But, in the background, Linux has always been there." 

Future threats 

Mistry does not believe the current wave of Linux attacks will abate anytime soon. He feels it will be some time before consumers and developers become aware of the risks and alter their behaviours. "The vulnerabilities in Linux platforms are massive," Mistry adds. "No one is actively controlling the vulnerabilities and patching them on a daily basis." 

Does this imply that its open-source framework contributes directly to Linux's lack of security? Certainly less, says Mistry. "You've got the openness, you've got the mass flexibility - the problem is when it comes to support," explains Mistry. 

Organisations developing new software on Linux should educate themselves on the trade-offs involved in adopting the operating system. The communities of developers modifying and patching this or that variant of Linux have "got people who will do things, but there's no kind of set body to say, 'This is the kind of direction we're going [in.]," adds Mistry, let alone any built-in regime mandating security standards. As a result, firms would be advised, according to the TrendMicro researcher, to install their own regime or create a viable audit trail for products built on some of the more unusual varieties of Linux. 

So, are the days of Linux as a popular OS alternative numbered? Probably not in the short term, and many cybersecurity vendors are becoming aware of the threat posed by Linux-based systems, according to Mistry. Nonetheless, according to Seker, each new security event involving Linux-targeting malware only serves to erode its reputation as an economical, secure, and open-source alternative to the monolithic Windows and iOS. "Even a single high-profile incident can quickly change a perception if the security community does not respond to threats promptly and effectively," he says.

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Proliferate

 

Several governmental organisations and researchers report that an international ransomware attack targeting VMware ESXi hypervisors is expanding after infecting thousands of targets. 

More than 3,200 servers in Canada, France, Finland, Germany, and the US have already been affected by the attack, which was originally detected late on February 3 by the French Computer Emergency Response Team (CERT-FR), according to Censys tracking.

An exploit for the Open Service Location Protocol (OpenSLP) service of the hypervisor's two-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974) serves as the point of compromise.

According to a Feb. 5 notification from French hosting company OVHcloud, which has clients hit by the attacks, the attack's purpose appears to be the installation of a novel ransomware strain called "ESXiArgs," albeit the gang behind it is unclear.

The alert states, "we [previously] made the assumption the attack was linked to the Nevada ransomware which was a mistake," according to the alert. "No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions." 

According to a copy of the ransom note published by a Dark Web monitor known as DarkFeed, the attackers are demanding about 2 Bitcoin ($23,000 at press time) to be delivered within three days of compromise; if the victims don't pay up, the ransom will increase and the gang will release sensitive data, they warned. Rapid7, a cybersecurity company, found in a study that there has been no proof of actual data exfiltration to yet. 

In contrast, the encryption procedure appears to be the main objective, and it is primarily aimed at virtual machine files (.vmdk,.vmx,.vmxf,.vmsd,.vmsn,.vswp,.vmss,.nvram, and *.vmem), according to the firm's evaluation. "In some circumstances, file encryption may only partially succeed, enabling the victim to recover data."

VMX, or Virtual Machine Executable, is a process that runs in the VMkernel and performs I/O requests; also, "the malware tries to shut down virtual machines by destroying the VMX process to unlock the files," according to Rapid7. The alert further stated that "this function is not consistently functioning as planned, resulting in files remaining locked." 

Administrators should apply patches right away to protect themselves from cyberattacks. As a workaround, the CERT-FR alert advises that "the SLP can be disabled on any ESXi servers that haven't been updated, in order to further mitigate the risk of compromise." 

Additionally, according to a warning issued over the weekend by Singapore's SingCERT, "users and administrators are also encouraged to check if the ransomware campaign-targeted port 427 can be stopped without impacting operations." 

Cybercriminals continue to target VMware; just last week, exploit code for further RCE issues that were present in the product line of the virtualization expert was discovered.

AvosLocker Ransomware New Variant Targets Linux Systems and ESXi Servers

 

AvosLocker ransomware gang has added AvosLinux in its arsenal for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. However, there are no details available regarding the targeted company or institutions, it is alleged that at least one victim received a $1 million ransom demand. 

A few months ago, the AvosLocker gang was also spotted advertising its latest ransomware variations, Windows Avos2 and AvosLinux, while alerting affiliates against attacking post-soviet/CIS targets. "Out new variants (avos2 / avoslinux) have the best of both worlds to offer: high performance & high amount of encryption compared to its competitors," the gang said.

Upon installation on a Linux system, AvosLocker terminates ESXi machines on the server using the following command: esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’ 

Once it starts operating on a compromised device, the ransomware will append the .avoslinux extension to all encrypted files. It also leaves ransom notes asking victims not to shut down the computer to avoid file damage and to visit the TOR site that includes the information about paying the ransom. 

The AvosLocker ransomware-as-a-service was first identified during the summer of 2021 and its attacks surged between November and December. In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode for easier device management and more efficient resource usage. 

By targeting virtual machines, ransomware authors also benefit from easier and faster encryption of multiple servers with a single command. Since October 2021, Hive ransomware has been encrypting Linux and FreeBSD systems with new malware variants, only months after cybersecurity researchers uncovered a REvil ransomware Linux encryptor targeting VMware ESXi virtual machines.

According to Emsisoft CTO Fabian Wosar, multiple ransomware operators including Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, have also designed and used their own Linux encryptors. "The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar explained. 

HelloKitty and BlackMatter ransomware Linux variants were also identified in the wild by security experts in July and August, further validating Wosar's statement. The Snatch and PureLocker ransomware operations have also been observed using Linux encryptors in the past.

Acer Confirms Breach After Cyber Attack on Indian Servers

 

A hacker group has claimed to have hacked Acer India's servers, with about 60GB of confidential information belonging to several million of the company's customers. 

According to a post on a prominent hacker site noticed by Privacy Affairs researchers, the group known as Desordern claimed to have acquired consumer information, business data, financial data, and information linked to recent company audits. 

According to the hackers, the breach includes information on several million Acer customers, the majority of which are from India. It appears to have happened on October 5, according to the most current date stated in the leaked databases. Desordern also stated that it will provide Acer with access to the database in order to substantiate the data and show the breach is legitimate. 

A sample of the data released for free which included information on over 10,000 people, was confirmed to be accurate and real by Privacy Affairs researchers, who were able to contact some of those impacted. Data belonging to millions more Acer customers will be available for a fee at a later date, as per the group. 

An Acer spokesperson told IT Pro, “We have recently detected an isolated attack on our local after-sales service system in India.” 

“Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India.” 

The issue has been reported to local law enforcement and the Indian Computer Emergency Response Team, according to the spokesman, and there has been no substantial impact on the company's activities or business continuity. 

In March of this year, Acer was the victim of a $50 million ransomware assault carried out by the notorious ransomware group REvil. The group disclosed the Acer breach on its website, where it displayed photos of allegedly stolen information such as financial spreadsheets, bank communications, and bank balances. The vulnerability was thought to be connected to a Microsoft Exchange cyber-attack conducted by at least 10 hacker groups.