Tag Archive for: virtual

Attackers Are Using Log4Shell Vulnerability to Deliver Backdoors to Virtual Servers

/in



Internet security firm Sophos has released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks.

A new technical paper, “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers.

The backdoors are possibly delivered by Initial Access Brokers.

Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021. 

“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information.

Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.”

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:

  • Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
  • The malicious Sliver backdoor 
  • The cryptominers z0Miner, JavaX miner, Jin and Mimu
  • Several PowerShell-based reverse shells that collect device and backup information

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet. 

According to Sophos, the attackers are using several different approaches to infect targets. While some of…

Source…

Smashing Security podcast #267: Virtual kidnapping, two helipads, and a naughty Apple employee – Graham Cluley

/in



Smashing Security podcast #267: Virtual kidnapping, two helipads, and a naughty Apple employee  Graham Cluley

Source…

Myanmar: The introduction of a prohibition on the use of virtual private networks

/in


In brief

The revised draft Cyber Security Law released by the Ministry of Transport and Communications (MOTC) on 13 January 2022 (“Draft Law 2.0“) appears to impose a broad prohibition on the use of virtual private networks (VPN) in Myanmar unless specific permission is granted by the MOTC. The Draft Law 2.0 does not distinguish the use of VPN between consumers and businesses; any person found guilty of the offense shall be punishable by imprisonment of a minimum of one year to a maximum of three years or a fine not exceeding MMK 5 million (approximately USD 2,500) or both. 

Under the state of emergency, new regulations can be issued by the current administration within a short timeframe without a parliamentary review process. It is important for businesses which are operating in Myanmar to monitor developments in respect of the Draft Law 2.0 and assess how such changes could impact their existing IT practices and operations. Additionally, businesses should also look out for any subsequent release of guidelines that may provide details for the application of permission from the MOTC.

  • The Draft Law 2.0 was circulated by MOTC to certain key businesses including banks and telecommunications service providers, requesting for comments on the revised draft to be provided by 28 January 2022. While many of the provisions are similar to or constitute a refinement over the initial draft circulated back in February 2021, the prohibition on the use of VPN is a new provision.
  • Under the Draft Law 2.0, any person intending to establish, access or connect to a network using VPN or equivalent technology is required to apply for specific permission from the MOTC. The definition of “network” is broadly drafted and covers any telecommunication system connected between any communication / computer devices through the use of cable, wireless or satellite or any other technologies.
  • Upon our informal consultation with the relevant authorities, we understand that the Draft Law 2.0, if and when enacted, may provide a transition period for the parties concerned to comply with the regulations in respect of the use of VPN. We also understand that further guidelines or…

Source…

New Python-based Ransomware Encrypts Virtual Machines Quickly

/in


Sophos cybersecurity researchers have discovered a Python-based ransomware operation that escalated from a compromised corporate network to encrypted virtual machines in just three hours.

VMware ESXi datastores rarely have endpoint protection, the researchers noted, and they host virtual machines (VMs) that likely run critical services for the business, making them a very attractive target for hackers. In the threat landscape, it’s like winning the jackpot.

In this case, the attackers employed unusual techniques to lock data and prevent any recovery.

Why the Hackers Used Python

Python is a powerful programming language that can easily interact with the operating system with just a few lines of code, and ESXi servers are Linux-based systems that often have Python pre-installed.

Python is pretty convenient for invoking commands from other programs using the OS module. In this case, the hackers uploaded a light Python script called fcker.py containing ESXi Shell commands such as vim-cmd vmsvc/getallvms and vim-cmd vmsvc/power.off.

These instructions are used to list all VMs and shut them down, necessary for starting the encryption. Then the script encrypts files in the /tmp directory with a single line of code invoking an openssl command. After that, the script overwrites original files with a certain four-letter curse word and covers its tracks by removing itself and generated files, including the vms.txt file that lists all VM names. Lastly, encrypted files are moved back from the /tmp directory to the datastore location.

The finishing touch is that the script contains configurable parameters such as email addresses for payments, file suffix for encrypted files, and encryption keys, making the code reusable using functions and variables.

How the Attackers Gained Unauthorized Access

To be able to run that script, the hackers had to compromise the network first. They targeted a TeamViewer account that didn’t have multi-factor authentication enabled and ran in the background of an administrator’s computer.

They downloaded tools to scan the network and open the SSH connection. Unluckily, the administrator had his password manager still open in a browser tab. The attackers found…

Source…