Tag: Ongoing | Page 3

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

February 7, 2023/in Internet Security

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed “End of General Support (EOGS) and/or significantly out-of-date products” continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or “zero-day” flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed “ESXiArgs” is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor’s Open Service Location Protocol (OpenSLP) service.

“With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

Unpatched Systems Again in the Crosshairs

VMware’s confirmation means that the attack by as-yet unknown perpetrators that’s so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

“This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in,” notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It’s a “sad truth” that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and…

Source…

Malaysia-linked hacktivists make ongoing attacks on India • The Register

June 15, 2022/in Internet Security

A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

The threat groups have successfully filled the void left by Anonymous.

According to Indian threat intelligence vendor CloudSEK and US-based security and application delivery vendor Radware, Sharma’s remarks caught the attention of a Malaysia-linked group called DragonForce that has launched attacks against Indian targets and sought assistance from others to do likewise under the banner “#OpsPatuk”.

Radware’s take [PDF] on DragonForce is it’s “a known pro-Palestinian hacktivist group located in Malaysia and has been observed working with several threat groups in the past, including the T3 Dimension Team and ReliksCrew.”

“DragonForce Malaysia is not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated,” Radware’s analysts wrote. “But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.”

Those skills extend to Twitter, where DragonForce is assumed to be the entity behind the following missive that calls for others to join its attacks on India and lists targets in sectors including logistics, education, web hosting, and software:

This is an urgent call for all Muslim Hackers All Over The World, Human Right Organisations and Activists all around the world to unite again and start campaign against India, share what is really going on there, expose their Terrorist,Criminal War activity to the world. pic.twitter.com/t46XMfk23C

— DragonForceIO (@DragonForceIO) June 11, 2022

CloudSEK concurs with Radware’s analysis that DragonForce relies on widely available DDoS tools and suggests…

Source…

New stealthy Nerbian RAT malware spotted in ongoing attacks

May 11, 2022/in Computer Security

malware

A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.

The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.

The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.

Impersonating the WHO

The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.

**Phishing email seen in the latest campaign** *(Proofpoint)*

The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.

The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.

UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.

Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.

Proofpoint summarizes the list of anti-analysis tools as follows:

Check for the existence of reverse engineering or debugging programs in the process list
Check for suspicious MAC addresses
Check the WMI strings to see if disk names are legitimate
Check if the hard disk size is below 100GB, which is typical for virtual machines
Check if there are any memory analysis or tampering detection programs present in the process list
Check the amount of time elapsed since execution and compare it with a set threshold
Use the IsDebuggerPresent API to determine if the executable is being debugged

All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.