Tag Archive for: Mass

Mass exploitation of critical MOVEit flaw is ransacking orgs big and small

/in


Mass exploitation of critical MOVEit flaw is ransacking orgs big and small

Getty Images

Organizations big and small are falling prey to the mass exploitation of a critical vulnerability in a widely used file-transfer program. The exploitation started over the Memorial Day holiday—while the critical vulnerability was still a zeroday—and continues now, some nine days later.

As of Monday evening, payroll service Zellis, the Canadian province of Nova Scotia, British Airways, the BBC, and UK retailer Boots were all known to have had data stolen through the attacks, which are fueled by a recently patched vulnerability in MOVEit, a file-transfer provider that offers both cloud and on-premises services. Both Nova Scotia and Zellis had their own instances or cloud services breached. British Airways, the BBC, and Boots were customers of Zellis. All of the hacking activity has been attributed to the Russian-speaking Clop crime syndicate.

Widespread and rather substantial

Despite the relatively small number of confirmed breaches, researchers monitoring the ongoing attacks are describing the exploitation as widespread. They liken the hacks to smash-and-grab robberies, in which a window is broken and thieves grab whatever they can, and warned that the quick-moving heists are hitting banks, government agencies, and other targets in alarmingly high numbers.

“We have a handful of customers that were running MOVEit Transfer open to the Internet, and they were all compromised,” Steven Adair, president of security firm Volexity, wrote in an email. “Other folks we have talked to have seen similar.”

Adair continued:

I do not want to categorize our customers at this point since I do not know what all is out there in terms of who is running the software and give them away. With that said, though—it’s both massive and small organizations that have been hit. The cases we have looked into have all involved some level of data exfiltration. The attackers typically grabbed files from the MOVEit servers less than two hours after exploitation and shell access. We believe this was likely widespread and a rather substantial number of MOVEit Transfer servers that were running Internet-facing web services were…

Source…

Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway

/in


A threat group with likely links to the financially motivated group known as FIN11 and other known adversaries is actively exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer app to steal data from organizations using the managed file transfer technology.

MOVEit Transfer is a managed file transfer app that organizations use to exchange sensitive data and large files both internally and externally. Organizations can deploy the software on-premises, or as infrastructure-as-a-service or as software-as-a-service in the cloud. Progress claims thousands of customers for MOVEit including major names such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Researchers from Google’s Mandiant security group who are tracking the threat believe the exploit activity may well be a precursor to follow-on ransomware attacks on organizations that have fallen victim so far. A similar pattern played out earlier this year after an attacker exploited a zero-day flaw in Forta’s GoAnywhere file transfer software to access customer systems and steal data from them.

The Microsoft Threat Intelligence team meanwhile said via Twitter today that it has attributed the attack to a baddie it calls “Lace Tempest,” which is a financially motivated threat and ransomware affiliate that has ties to not only FIN11, but also TA505, Evil Corp, and the Cl0p gang.

Data Theft Happening in Minutes

An initial investigation into the MOVit Transfer attacks by Mandiant showed that the exploit activity began on May 27, or roughly four days before Progress disclosed the vulnerability and issued patches for all affected versions of the software. Mandiant has so far identified victims across multiple industry sectors located in Canada, India, and the US but believes the impact could be much broader.

“Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT Web shell with filenames that masquerade as human.aspx, which is a legitimate component of the MOVEit Transfer software,” Mandiant said in a blog post June 2.

The Web shell allows the attackers to issue commands for enumerating files and folders on a system running MOVEit…

Source…

Security Roundup: Leak of Top-Secret US Intel Risks a New Wave of Mass Surveillance

/in


US defense secretary Lloyd Austin on Thursday said he was considering “additional measures necessary to safeguard our nation’s secrets,” and he ordered a review of “our intelligence access, accountability, and control procedures within the department to inform our efforts to prevent this kind of incident from happening again.”

Hackers who claim to have breached data storage company Western Digital earlier this month say they are holding 10 terabytes of stolen data hostage and are ready to publish it unless the company pays a “minimum 8 figure” ransom, TechCrunch reports. 

An individual who says they carried out the hack spoke to TechCrunch on Thursday, claiming to have reams of customer information. While the hacker showed TechCrunch screenshots of internal emails and contact information of Western Digital’s employees, it’s still unclear exactly what data has been stolen.

“Cut the crap, get the money, and let’s both go our separate ways,” the hackers wrote in an email to several company executives. “Simply put, let us put our egos aside and work to find a resolution to this chaotic scenario.” 

A secretive Israeli spyware company’s hacking tools have been used to target politicians and journalists in at least 10 countries, according to research by Microsoft and the University of Toronto’s Citizen Lab made public Tuesday. 

The company, QuaDream, is a small, low-profile Israeli firm that develops smartphone hacking tools intended for government clients. The firm was established in 2016 by former employees of NSO Group, the maker of the Pegasus spyware.

The QuaDream spyware targeted older versions of Apple’s iOS phone software, and it worked by sending malicious calendar invites that would not be seen by the targets, researchers say.

According to the report, Citizen Lab has located QuaDream servers in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan. 

WhatsApp has introduced a new security feature that makes it harder for scammers to steal users’ accounts. The feature will require individuals who download WhatsApp to a new device to use their old device to confirm their account….

Source…

Over 83,000 ESXi servers are internet-exposed as mass attack continues

/in


Over 2,500 ESXi servers around the world have now been hit by ransomware as part of a spray-and-pray campaign that began on Friday evening – with VMware affirming that it has “not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.”

Initial reports suggested that a vulnerability from early 2021 was being exploited. Some security researchers had been somewhat sceptical that not only were thousands of ESXi users not patching against severe remote code execution (RCE) vulnerabilities two years old but also directly exposing unpatched servers to the internet.

The campaign also began just days after security researchers published an exploit that lets remote and unauthenticated attackers take over VMware’s log management tool vRealize Log Insight as root user by chaining three vulnerabiities that VMware disclosed on January 25, 2023. Two of the CVEs used (CVE-2022-31706, CVE-2022-31704) are remote code execution (RCE) bugs with critical CVSS ratings of 9.9.

There is no suggestion that this exploit is being used in the ESXi ransomware attacks.

SecurityScorecard’s Attack Surface IntelligenceASI tool detects some version of ESXi in use at 139,491 IP addresses worldwide. Not all of these will be vulnerable to the ongoing campaign. Shodan searches meanwhile suggest that 83,476 ESXI servers can be found online; the vast majority of these running version 6.7.

ESXi Servers exposed to the internet

ESXi versions exposed to the internet: Credit, Shodan.

VMware emphasised in a short blog on February 6 that “Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities”.

The ESXi ransomware campaign is targeting CVE-2021–21974, a VMware ESXi OpenSLP HeapOverflow leading to remote code execution that was first disclosed via the Zero Day Initiative (ZDI) by Lucas Leong.

Admins should ensure unpatched and exposed ESXi servers are firewalled, with no ports exposed. VMware’s earlier mitigation for the vulnerability urged users to 1: Login to the ESXi hosts using an SSH session (such as putty); 2:…

Source…