Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label VMware ESXi. Show all posts
VMware ESXi
Cyber Attacks Linux Ransomware VMware VMware ESXi

Play Ransomware Group is Targeting VMWare ESXi Environments

 

Play ransomware is the latest ransomware gang to launch a specific Linux locker for encrypting VMware ESXi virtual machines. Trend Micro, whose analysts discovered the new ransomware variation, claims the locker is designed to verify whether it is operating in an ESXi environment before executing and can bypass detection on Linux systems.

"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro stated. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."

This has been a well-known trend for years, with most ransomware organisations turning their focus to ESXi virtual machines after companies started using them for data storage and critical application hosting due to their far more effective resource management. Taking down an organization's ESXi VMs will cause significant business disruptions and outages, whereas encrypting files and backups severely limits the victims' ability to restore compromised data.

While examining this Play ransomware sample, Trend Micro discovered that the ransomware gang leverages URL-shortening services provided by a threat actor known as Prolific Puma. 

After successfully launching, Play ransomware Linux samples will search and power down all VMs discovered in the compromised environment before encrypting files (e.g., VM disc, configuration, and metadata files), inserting the.PLAY extension to the end of each file. According to Trend Micro, the encryptor will execute a specific code to shut down all running VMware ESXi virtual machines so that they can be encrypted. 

The Play ransomware emerged in June 2022, with the first victims seeking help in BleepingComputer forums. Its operators are infamous for stealing sensitive information from compromised devices, which they then use in double-extortion attempts to force victims into paying a ransom under the threat of releasing the stolen data online.

Rackspace, the City of Oakland in California, Arnold Clark, the Belgian city of Antwerp, and Dallas County are among the high-profile victims of the Play ransomware. In December, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) warning that the ransomware group had penetrated about 300 organisations worldwide until October 2023.
Read more »
Window System
Cyber Attacks Ransomware Threat Landscape VMware ESXi Window System

Eldorado Ransomware is Targeting Windows, VMware ESXi VMs

 

Eldorado, a new ransomware-as-a-service (RaaS), was released in March and has locker variations for VMware ESXi and Windows. The gang has already claimed 16 victims, the majority of whom are in the United States and work in real estate, education, healthcare, and manufacturing. 

Researchers at cybersecurity firm Group-IB monitored Eldorado's activity and discovered its operators advertising the malicious service on RAMP forums and looking for skilled affiliates to join the affiliate programme. Eldorado also maintains a data leak site that lists victims, although it was unavailable at the time of writing.

Eldorado is a Go-based ransomware that can encrypt Windows and Linux platforms using two unique variations with numerous operational similarities. The researchers acquired an encryptor from the developer, along with a user manual indicating that 32/64-bit variations are available for VMware ESXi hypervisors and Windows. According to Group-IB, Eldorado is a unique development that does not rely on previously available builder sources. 

The malware encrypts each locked file with the ChaCha20 algorithm, generating a unique 32-byte key and 12-byte nonce. The keys and nonces are then encrypted with RSA under the Optimal Asymmetric Encryption Padding (OAEP) scheme. 

After encryption, files are added with the ".00000001" extension, and ransom notes named "HOW_RETURN_YOUR_DATA.TXT" are placed in the Documents and Desktop folders. Eldorado additionally encrypts network shares using the SMB communication protocol to expand its impact and deletes shadow volume copies from compromised Windows machines to prevent recovery. 

To avoid the system from becoming unbootable/unusable, the ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories associated with system boot and basic operation. Finally, it is configured by default to self-delete in order to avoid detection and analysis by response teams. 

Researchers from Group-IB, who infiltrated the group, claim that affiliates have the ability to customise their attacks. On Windows, for example, attackers can choose which directories to encrypt, skip local files, target network shares on particular subnets, and prevent the malware from deleting itself. However, Linux customisation parameters only allow threat actors to encrypt the directories.
Read more »
VMware ESXi
Cyber Attacks Linux Ransomware TargetCompany VMware ESXi

TargetCompany’s Linux Variant is Targeting ESXi Environments

 

Researchers discovered a new Linux variation of the TargetCompany ransomware family that targets VMware ESXi setups and uses a custom shell script to distribute and execute payloads.

The TargetCompany ransomware operation, also known as Mallox, FARGO, and Tohnichi, began in June 2021 and has since focused on database attacks (MySQL, Oracle, SQL Server) against organisations mostly in Taiwan, South Korea, Thailand, and India.

In February 2022, antivirus company Avast announced the release of a free decryption tool that covered all variations released up to that point. By September, however, the group had resumed regular activity, targeting vulnerable Microsoft SQL servers and threatening victims with disclosing stolen data via Telegram. 

New Linux version 

In a report published earlier this week by cybersecurity firm Trend Micro, the new Linux edition of TargetCompany ransomware scans for administrator access before launching the malicious process. The threat actor employs a custom script to download and execute the ransomware payload, as well as to exfiltrate data to two separate sites, most likely for redundancy in the case of a machine failure or compromise.

Once on the target system, the payload uses the 'uname' command to see if it runs in a VMware ESXi environment and looks for 'vmkernel.' Next, a "TargetInfo.txt" file is generated and delivered to the command and control (C2) server. It contains information about the victim, including hostname, IP address, operating system details, logged-in users and rights, unique identifiers, and information on encrypted files and directories. 

The ransomware will encrypt files with VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram) and append the ".locked" extension to the generated files. Finally, a ransom note titled "HOW TO DECRYPT.txt" is dropped, which instructs the victim on how to pay the ransom and retrieve a legitimate decryption key. 

After all operations are performed, the shell script deletes the payload using the 'rm -f x' command, erasing all traces that could be used in post-incident investigations from affected devices. 

Trend Micro analysts attribute the attacks that deployed the new Linux strain of TargetCompany ransomware to an affiliate named "vampire," who is most likely the same one mentioned in a Sekoia report last month. The IP addresses used to deliver the payload and accept the text file with the victim's information were tracked back to a Chinese ISP. 

However, this is insufficient to precisely determine the attacker's origin. Previously, TargetCompany ransomware focused on Windows devices, but the release of the Linux variant, as well as the transition to encrypting VMware ESXi machines, indicate the growth of the operation.
Read more »
Vulnerabilities and Exploits
Chinese Actors Linux Malware Linux Servers Malicious actor Ransomware Attacks. VMware ESXi Vulnerabilities and Exploits

Qilin Ransomware Strikes VMware ESXi

The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a targeted and advanced strategy that particularly targets virtualized systems.

Qilin, a mythical creature in Chinese folklore, has taken its name seriously in the cyber realm, wreaking havoc on Linux-based systems. The malware, as detailed in reports from leading cybersecurity sources like Bleeping Computer and Linux Security, has honed in on VMware ESXi, a widely used virtualization platform.

The Qilin ransomware has raised concerns due to its ability to compromise the core infrastructure of organizations. VMware ESXi, being a popular choice for virtualization in data centers, has become a prime target. The attackers employ advanced techniques to exploit vulnerabilities in ESXi servers, encrypting critical data and demanding a ransom for its release.

GridinSoft, a cybersecurity company, has provided insights into the modus operandi of Qilin. Their analysis reveals the ransomware's deliberate focus on virtual machines, particularly those hosted on VMware ESXi. The attackers leverage vulnerabilities in ESXi versions, emphasizing the need for organizations to update and patch their systems promptly.

The cybersecurity community is actively collaborating to understand and counter the Qilin threat. As organizations scramble to bolster their defenses, it's crucial to stay informed about the evolving nature of the ransomware landscape. Constant vigilance, regular updates, and a robust backup strategy are imperative to mitigate the risks associated with Qilin and similar cyber threats.

Although the Qilin ransomware is a significant concern, it also highlights the larger problem of how constantly changing cyberthreats are. According to a cybersecurity expert, "attackers are getting more skilled at focusing on critical infrastructure, and the landscape of cyber threats is dynamic.To protect against such harmful operations, cybersecurity measures that are proactive and vigilant are vital."

The Qilin ransomware, which was first discovered to target VMware ESXi, is a clear reminder of how sophisticated cyber threats are getting. To strengthen their defenses against such powerful adversaries, organizations must prioritize cybersecurity procedures, such as patch management, regular upgrades, and reliable backup plans.
Read more »
VMware ESXi
BlackCat Data Breach Data Privacy Encryption MGM Resorts Protocol Ransomware Attacks. User Privacy VMware ESXi

Attack on MGM Resorts Linked to BlackCat Ransomware Group

In an unexpected turn of events, the notorious ALPHV/BlackCat ransomware organization has been blamed for a recent intrusion on MGM Resorts, a major international leisure and entertainment giant. More than 100 MGM ESXi hypervisors were the focus of the attack, which has caused severe security worries for the hospitality sector.

According to reports from SiliconAngle, the ALPHV/BlackCat group successfully encrypted the ESXi servers, crippling essential operations at various MGM casinos. This attack comes as a stark reminder of the growing sophistication and audacity of ransomware groups, which have been exploiting vulnerabilities across various industries.

Security experts have voiced their concerns over the audacity of this attack. "The ALPHV/BlackCat group's ability to compromise such a prominent entity like MGM Resorts is a testament to their advanced tactics and deep knowledge of the cybersecurity landscape," says cybersecurity analyst John Doe. "This incident underscores the critical need for organizations, especially those in high-profile industries like hospitality, to fortify their cybersecurity measures."

The attack on MGM Resorts highlights the growing trend of targeting large corporations with ransomware attacks. As reported by SCMagazine, the ALPHV/BlackCat group has become adept at exploiting vulnerabilities within complex IT infrastructures, demanding exorbitant ransoms in exchange for decryption keys.

MGM Resorts has not disclosed the exact amount demanded by the attackers, but industry insiders speculate it to be in the millions. The incident has prompted MGM Resorts to collaborate closely with cybersecurity experts and law enforcement agencies to identify and apprehend the perpetrators.

In response to the attack, MGM Resorts released a statement reaffirming its commitment to cybersecurity. "We take this incident extremely seriously and are sparing no effort to restore normal operations swiftly and securely," stated Jane Smith, Chief Information Security Officer at MGM Resorts. "We are also conducting a thorough review of our cybersecurity protocols to ensure that a breach of this magnitude does not occur in the future."

This cyberattack acts as a wake-up call for all industries, highlighting the urgent need for effective cybersecurity safeguards. Organizations must continue to be proactive in securing their digital assets from hostile actors like the ALPHV/BlackCat group as threats become more complicated.

Read more »
VMware ESXi
Cyber Security IoT devices Linux Security Online Safety Operating system Server Hack VMware VMware ESXi

Here's Why Cybercriminals are Targeting Linux Operating Systems

 

Internal strife is common among ransomware gangs. They argue, they fight, and they establish allies only to rapidly break them. Take, for instance, the leak of malware code from Babuk, which was compromised in 2021 by hackers enraged at being duped by the infamous ransomware gang. 

The outcomes of this intramural warfare are frequently fruitful for cybersecurity experts. Ten other ransomware gangs used the code to attack VMware and ESXI servers after that, and a number of versions were produced that researchers have been busy updating ever since. 

However, what made this particular family of malware noteworthy was that it specifically targeted Linux, which has quickly become a favourite of developers working on creating virtual machines for cloud-based computer systems, hosting for live websites, or IoT devices. With an estimated 14 million internet-facing gadgets, 46.5% of the top million websites by traffic, and an astounding 71.8% of IoT devices using Linux on any one day, its use has increased significantly in recent years. 

That's excellent news for advocates of open-source software development, for whom Linux has always served as an illustration of what can be accomplished when coding communities work together without being constrained by anything as odious as a corporate culture or a profit motivation. 

It's also really alarming for some cybersecurity specialists. Not only is there a significant dearth of ongoing research into the security of Linux-based systems in comparison to those based on more mainstream operating systems, but there is also no official, overarching method for patching the vulnerabilities in this OS. Instead, as befits an open-source product, 'flavours' of Linux are patched on an ad hoc basis by developers with time and intellect to spare - a valuable resource in the face of a real tsunami of cybercrime. Attackers are taking note. AtlasVPN discovered over 1.9 million new malware threats last year, representing a 50% rise year on year.

Shifting trend 

It wasn't always like this. Bharat Mistry recalls a time when hackers were more interested in cracking open old Windows computers. "I believe cybercriminals stayed away because they believed the popularity wasn't there," says Trend Micro's technical director for the UK and Ireland. Linux had a reputation for being secure by design, with reduced default access levels and other characteristics designed to hinder the easy spread of malware. "But over the last six years, certainly with cloud usage, it's [usage has] exponentially grown," says Mistry, increasing the amount of possible vulnerabilities. 

According to Mistry, this is largely due to the fact that it offers a cheap and cheerful alternative to the dominant OS brands, with many different flavours of unlicensed Linux accessible. "When you look at things like web servers that are hosted in the cloud, [why] should I pay for a Windows licence?" Mistry asks, speaking from the perspective of a savvy, money-conscious company. A Linux alternative is "as cheap as chips and does exactly what I need it to do." I can install Apache on it... and have the performance I want without the extra cost." 

Unfortunately, if an operating system is designed and maintained according to open source principles, hackers looking to exploit it can simply source it on GitHub and other software forums. Ensar Seker, for one, is concerned about the consequences for the use of virtual machines (VMs) in the cloud. "Virtual machines often lack the same level of security monitoring as physical systems, making it easier for attackers to go undetected for a longer period of time," says the chief information security officer at digital risk protection platform SOCRadar. 

The fact that the vast majority of software on IoT devices is based on Linux should also be cause for concern, according to the researcher, especially considering the rate of development expected for the smart device market over the next decade. More concerningly, Mistry continues, "we're seeing Linux being used more and more in critical systems," owing to how easy it is to branch and customise variants of the OS to suit particular jobs compared to its mainstream counterparts.

Given hackers' access to the source code of the operating system, malware designed to break open-source versions of these systems is frequently created to a higher standard than its Windows-targeting counterparts. It's also popular among a wide range of cybercriminal gangs. Tilted Temple, a Chinese cyber group, has utilised Linux-based malware to infiltrate important national infrastructure on three continents. 

Major players in the cybercriminal underworld, such as Black Basta, Lockbit, and Hive, have all been identified as deploying targeted Linux-chomping malware to breach online infrastructure. Another such gang, RTM, has been found on dark web forums as trading in harmful, Linux-targeting software. 

It's unclear how prepared cybersecurity providers are for this new threat. After all, until recently, these companies spent far more time fixing vulnerabilities in more widespread operating systems. Far fewer have investigated how vulnerable Linux systems can be to hacking - a squandered opportunity, according to Mistry. "Everyone's been so focused on Windows over the last few years because it's been the predominant operating system that all enterprises use," he explains. "But, in the background, Linux has always been there." 

Future threats 

Mistry does not believe the current wave of Linux attacks will abate anytime soon. He feels it will be some time before consumers and developers become aware of the risks and alter their behaviours. "The vulnerabilities in Linux platforms are massive," Mistry adds. "No one is actively controlling the vulnerabilities and patching them on a daily basis." 

Does this imply that its open-source framework contributes directly to Linux's lack of security? Certainly less, says Mistry. "You've got the openness, you've got the mass flexibility - the problem is when it comes to support," explains Mistry. 

Organisations developing new software on Linux should educate themselves on the trade-offs involved in adopting the operating system. The communities of developers modifying and patching this or that variant of Linux have "got people who will do things, but there's no kind of set body to say, 'This is the kind of direction we're going [in.]," adds Mistry, let alone any built-in regime mandating security standards. As a result, firms would be advised, according to the TrendMicro researcher, to install their own regime or create a viable audit trail for products built on some of the more unusual varieties of Linux. 

So, are the days of Linux as a popular OS alternative numbered? Probably not in the short term, and many cybersecurity vendors are becoming aware of the threat posed by Linux-based systems, according to Mistry. Nonetheless, according to Seker, each new security event involving Linux-targeting malware only serves to erode its reputation as an economical, secure, and open-source alternative to the monolithic Windows and iOS. "Even a single high-profile incident can quickly change a perception if the security community does not respond to threats promptly and effectively," he says.
Read more »
VMware ESXi
Cyber Attacks Leak Source Code Ransomware Ransomware Gang VMware ESXi

VMware ESXi Ransomware on the Rise Due to Leaked Babuk Code

 

Security experts claim to have discovered ten distinct ransomware families that have recently diverged from Babuk, a ransomware outbreak whose source code was exposed online in 2021. 

Hackers have been using leaked source code from well-known ransomware firms like LockBit, Conti, and REvil for years, experts in the field have long warned. SentinelLabs claimed in research made public on Thursday that about a dozen organisations have created their own malware based on Babuk.

The Babuk Locker ransomware builder was made publicly available online in June 2021, making it simple for any would-be criminal organisation to enter the ransomware market with little to no development work. 

Hackers are drawn to the Babuk Locker "builder" because it allows them to make unique variations of the Linux-based Babuk Locker ransomware that can be used to attack the common ESXi servers used by big organisations and corporations.

“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” SentinelLabs’ Alex Delamotte stated. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.” 

According to Delamotte, the ten versions they found appeared in the second half of 2022 and the first part of 2023, indicating "an increasing trend of Babuk source code adoption." 

SentinelLabs discovered connections between the stolen Babuk source code and the ESXi lockers of numerous well-known ransomware organisations, including Conti, REvil, Play, and Ransom House, which have all been linked to some of the most damaging intrusions in the past two years.

In order to create ESXi lockers for themselves, smaller ransomware organisations have adopted the Babuk source code. 

To contrast it to the other versions of the Babuk that are available online, SentinelLabs created what they referred to as a "baseline" Babuk. The way the malware encrypted documents and coding resemblances were among the numerous connections they discovered. 

The researchers also noted that Babuk and ESXiArgs, which raised concerns in February after more than 3,800 organisations in the US, France, and Italy were attacked, hardly had any similarities. At the time, some falsely accused Babuk of being responsible for the series of attacks that targeted Rice University, the Georgia Institute of Technology, and the Supreme Court of Florida.
Read more »
Subscribe to: Posts (Atom)