Tag: Infecting | Page 2

Malware infecting widely used security appliance survives firmware updates – Ars Technica

March 9, 2023/in Computer Security

Threat actors with a connection to the Chinese government are infecting a widely used security appliance from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.

SonicWall’s Secure Mobile Access 100 is a secure remote access appliance that helps organizations securely deploy remote workforces. Customers use it to grant granular access controls to remote users, provide VPN connections to organization networks, and set unique profiles for each employee. The access the SMA 100 has to customer networks makes it an attractive target for threat actors.

In 2021, the device came under attack by sophisticated hackers who exploited what was then a zero-day vulnerability. Security appliances from Fortinet and Pulse Secure have come under similar attacks in recent years.

Gaining long-term persistence inside networks

On Thursday, security firm Mandiant published a report that said threat actors with a suspected nexus to China were engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the ability of the malware to remain on the devices even after its firmware received new firmware.

“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers Daniel Lee, Stephen Eckels, and Ben Read wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”

To achieve this persistence, the malware checks for available firmware upgrades every 10 seconds. When an update becomes available, the malware copies the archived file for backup, unzips it, mounts it, and then copies the entire package of malicious files to it. The malware also adds a backdoor root user to the mounted file. Then, the malware rezips the file so it’s ready for installation.

“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers wrote.

The persistence techniques…

Source…

Hackers are mass infecting servers worldwide by exploiting a patched hole

February 6, 2023/in Computer Security

Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word — Getty Images

An explosion of cyberattacks is infecting servers around the world with crippling ransomware by exploiting a vulnerability that was patched two years ago, it was widely reported on Monday.

The hacks exploit a flaw in ESXi, a hypervisor VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources. ESXi is what’s known as a bare-metal, or Type 1, hypervisor, meaning it’s essentially its own operating system that runs directly on server hardware. By contrast, servers running the more familiar Type 2 class of hypervisors, such as VMware’s VirtualBox, run as apps on top of a host operating system. The Type 2 hypervisors then run virtual machines that host their own guest OSes such as Windows, Linux or, less commonly, macOS.

Enter ESXiArgs

Advisories published recently by computer emergency response teams (CERT) in France, Italy, and Austria report a “massive” campaign that began no later than Friday and has gained momentum since then. Citing results of a search on Census, CERT officials in Austria, said that as of Sunday, there were more than 3,200 infected servers, including eight in that country.

“Since ESXi servers provide a large number of systems as virtual machines (VM), a multiple of this number of affected individual systems can be expected,” the officials wrote.

The vulnerability being exploited to infect the servers is CVE-2021-21974, which stems from a heap-based buffer overflow in OpenSLP, an open network-discovery standard that’s incorporated into ESXi. When VMware patched the vulnerability in February 2021, the company warned it could be exploited by a malicious actor with access to the same network segment over port 427. The vulnerability had a severity rating of 8.8 out of a possible 10. Proof-of-concept exploit code and instructions for using it became available a few months later.

Over the weekend, French cloud host OVH said that it doesn’t have the ability to patch the vulnerable servers set up by its customers.

“ESXi OS can only be installed on bare metal servers,” wrote…

Source…

Joker malware attacks Android smartphone users again – These 11 malware apps are infecting Google Play Store – Zee News

July 11, 2020/in Computer Security

Joker malware attacks Android smartphone users again – These 11 malware apps are infecting Google Play Store Zee News
Joker Android Malware Dupes Its Way Back Onto Google Play Threatpost
Google removes 11 apps from Play store infected with Joker malware; uninstall them now The Indian Express
Joker Malware Apps Once Again Bypass Google’s Security to Spread via Play Store Internet
Malware Joker: Google blocks 11 apps from Play Store Moneycontrol
View Full Coverage on read more

“malware news” – read more

Hackers are targeting other hackers by infecting their tools with malware – TechCrunch

March 10, 2020/in Computer Security

Hackers are targeting other hackers by infecting their tools with malware TechCrunch
“malware news” – read more

Tag Archive for: Infecting

Gaining long-term persistence inside networks

Enter ESXiArgs