Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label VMware Attacks. Show all posts

Ransomware Groups Exploit VMware ESXi Bug for Widespread Attacks

 

Several ransomware groups have been exploiting a vulnerability in VMware ESXi hypervisors that allows them to bypass authentication and rapidly deploy malware across virtual environments. Identified as CVE-2024-37085, this bug has been assigned a “medium” severity rating of 6.8 out of 10 on the CVSS scale. The rating reflects the need for attackers to have existing permissions in a target’s Active Directory (AD) to exploit it. 

The vulnerability, identified as CVE-2024-37085, has been assigned a “medium” severity score of 6.8 out of 10 on the CVSS scale. This score reflects the fact that attackers need existing permissions in a target’s Active Directory (AD) to exploit it. However, if attackers have AD access, they can inflict substantial damage. The CVE-2024-37085 bug allows them to instantly elevate their ESXi privileges to the highest level, enabling the deployment of ransomware, data theft, lateral movement within the network, and more. 

Notably, groups such as Storm-0506 (also known as Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (also known as Scattered Spider) have utilized this vulnerability to distribute ransomware like Black Basta and Akira. Broadcom has released a fix for the vulnerability, which is available on its website. The vulnerability arises in scenarios where organizations configure their ESXi hypervisors to use AD for user management. By default, ESXi hypervisors grant full administrative access to any member of an AD domain group named “ESX Admins.” This oversight means that an attacker with sufficient AD privileges can create an “ESX Admins” group in the targeted domain and add a user to it, thereby gaining full administrative access to the ESXi hypervisors. Alternatively, they could rename an existing group to “ESX Admins” and use one of its existing users or add a new one. 

This vulnerability is problematic because ESXi hypervisors do not validate the existence of the “ESX Admins” group when joining a domain. The membership in this group is determined by name rather than by security identifier (SID), making the exploit straightforward. An attacker only needs to create or rename a group to “ESX Admins” to exploit the vulnerability. Ransomware attacks targeting ESXi hypervisors and virtual machines (VMs) have become increasingly common, particularly since 2020, as enterprises have accelerated their digital transformation efforts and adopted modern hybrid cloud and virtualized on-premise environments. 

Virtualized environments offer hackers significant advantages, as hypervisors typically run many VMs simultaneously, making them ideal targets for widespread ransomware deployment. These VMs often host critical services and business data, making successful attacks highly disruptive. The limited visibility and protection for hypervisors from traditional security products exacerbate this issue. Hypervisors’ isolation and complexity, along with the specialized knowledge required to protect them, make it difficult for conventional security tools to monitor and safeguard the entire environment. 

Additionally, API integration limits further complicate protection efforts. To mitigate these risks, Microsoft emphasizes the importance of keeping systems up to date with patches and practicing broader cyber hygiene around critical and vulnerable assets. Ensuring that systems are patched and that cyber hygiene practices are in place can help defend against such attacks. As ransomware actors increasingly target these systems, organizations must remain vigilant and proactive in their cybersecurity measures.

SEXi Ransomware Rebrands to APT INC, Continues VMware ESXi Attacks

 


SEXi ransomware group and its affiliates, which have been involved in a series of cyber-attacks that began in February of this year against several organizations, have been operating under the name "APT Inc." since June of this year. To encrypt a VMware ESXi server with a Babuk encryptor, and a Windows server with a LockBit 3 encryptor, the group uses a leaked LockBit encryptor. 

In its rebranded form, the group continues to use its original techniques of encryption whilst wreaking havoc on new victims around the world, issuing ransom demands that range from thousands to millions of dollars, all to obtain access to the victims' data. Often called Babyk, Babuk Locker is a ransomware operation that began targeting businesses in 2021, encrypting their data and stealing it in a double-extortion attack to gain cash. 

As part of the launch, SEXi is being offered as an optional add-on to the platform that targets it, as a play on its name. As noted in a statement issued by CRONUp cybersecurity researcher Germán Fernández, PowerHost CEO Ricardo Rubem confirmed that his servers had been locked up by a ransomware variant called SEXi. It has not yet been revealed exactly how the malware gained access to PowerHost's internal network. However, the ransomware variant was called SEXi. 

During its statement, Rubem said that he was clarifying that Rubem would not be paying the ransom demanded by the attackers as a form of punishment. It is worth noting that after attacking the Washington DC metropolitan police department (MPD), a ransomware gang claimed that they had shut down their operations due to pressure from U.S. law enforcement. There were several attacks carried out by threat actors in February 2024 using the leaked data encryptor Babuk that was targeted at VMware ESXi servers and the lost LockBit 3 encryption system was targeted at Windows systems. 

It was not long after the cybercriminals began their campaign of attacks and gained media attention because of an attack they launched on IxMetro Powerhost, a Chilean hosting service whose VMware ESXi servers were encrypted by the cybercriminals. In an attempt to disguise its victims' identity, the ransomware operation has been given the name SEXi based on the name of the ransom note, SEXi.txt, as well as the extension.SEXi. 

Interestingly, Will Thomas, a cybersecurity researcher, found another variant called SOCOTRA, it also used the name FORMOSA, and it also used the name LIMPOPO. As noted above, the ransomware operation uses a combination of Linux and Windows encryptors, but it is more known to target VMware ESXi-based systems. According to cyber security researcher Rivitna, the ransomware operation has rebranded itself as APT INC and continues to encrypt files with Babuk and LockBit 3 encryptors, which BleepingComputer reported they continued to use until June. 

The experts at BleepingComputer have been receiving numerous reports from victims who have been impacted by APT INC attacks in recent weeks, along with posts on our forums about their similar experiences. Threat actors have gained access to VMware ESXi servers, and they have encrypted files that are related to these virtual machines, including virtual disks, database files, and backup images used in creating the virtual machines.  The rest of the files that are part of the operating system are not encrypted at all. 

Each victim of APT INC ransomware will be assigned a random name that is not associated with their company. This name will be used for both the ransom note and the encrypted file extension. The ransom notes will contain information on how to contact the threat actors using the Session encrypted messaging application.

Notably, the session address remains consistent with the address used in previous SEXi ransom notes. BleepingComputer has reported that ransom demands can range from tens of thousands to millions of dollars. For instance, the CEO of IxMetro Powerhost publicly disclosed that the threat actors demanded two bitcoins per encrypted customer. 

Unfortunately, the encryptors used by Babuk and LockBit 3 ransomware are secure and have no known vulnerabilities, making it impossible to recover files without paying the ransom. The leaked Babuk and LockBit 3 encryptors have been repurposed to power new ransomware operations, including APT INC. The Babuk encryptors, in particular, have gained widespread adoption due to their capability to target VMware ESXi servers, which are heavily utilized in enterprise environments. 

The VMware ESXi hypervisor platform operates on Linux and Linux-like operating systems, capable of hosting multiple, data-rich virtual machines (VMs). This platform has been a favoured target for ransomware actors for several years, partly due to its extensive attack surface. According to a Shodan search, tens of thousands of ESXi servers are exposed to the Internet, most of which run older versions. This figure does not account for servers that become accessible following an initial breach of a corporate network. 

Additionally, the growing interest of ransomware gangs in targeting ESXi is attributed to the platform’s lack of support for third-party security tools. As reported by Forescout last year, unmanaged devices such as ESXi servers are prime targets for ransomware threat actors. This is due to the valuable data stored on these servers, the increasing number of exploitable vulnerabilities affecting them, their frequent exposure to the Internet, and the challenges in implementing security measures such as endpoint detection and response (EDR). 

ESXi servers represent high-value targets since they host multiple VMs, enabling attackers to deploy malware once and encrypt numerous servers with a single command. To mitigate these risks, VMware has published a guide to securing ESXi environments. Key recommendations include ensuring that ESXi software is patched and up-to-date, hardening passwords, removing servers from the Internet, monitoring network traffic and ESXi servers for abnormal activities, and maintaining backups of VMs outside the ESXi environment to facilitate recovery.