Tag Archive for: VMware

Week in review: PaperCut vulnerabilities, VMware fixes critical flaws, RSA Conference 2023

/in


The week in security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

RSA Conference 2023
RSA Conference 2023 took place at the Moscone Center in San Francisco. Check out our microsite for related news, photos, product releases, and more.

Overcoming industry obstacles for decentralized digital identities
In this Help Net Security interview, Eve Maler, CTO at ForgeRock, talks about how digital identities continue to play a critical role in how we access online services securely. Maler also highlights the challenges encountered by various industries in implementing decentralized digital identities.

PaperCut vulnerabilities leveraged by Clop, LockBit ransomware affiliates
Clop and LockBit ransomware affiliates are behind the recent attacks exploiting vulnerabilities in PaperCut application servers, according to Microsoft and Trend Micro researchers.

Common insecure configuration opens Apache Superset servers to compromise
An insecure default configuration issue (CVE-2023-27524) makes most internet-facing Apache Superset servers vulnerable to attackers, Horizon3.ai researchers have discovered.

3CX breach linked to previous supply chain compromise
Pieces of the 3CX supply chain compromise puzzle are starting to fall into place, though we’re still far away from seeing the complete picture.

GitHub introduces private vulnerability reporting for open source repositories
GitHub has announced that its private vulnerability reporting feature for open source repositories is now available to all project owners.

Google Authenticator updated, finally allows syncing of 2FA codes
Google has updated Google Authenticator, its mobile authenticator app for delivering time-based one-time authentication codes, and now allows users to sync (effectively: back up) their codes to their Google account.

VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
VMware has fixed one critical (CVE-2023-20869) and three important flaws (CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) in its VMware Workstation and Fusion virtual user session software.

Google adds new risk assessment tool for Chrome extensions
Google has made available a new tool for…

Source…

VMware ESXi Ransomware Attacks: 5 Things To Know

/in


Security News


Kyle Alspach


The ESXiArgs ransomware campaign has succeeded at compromising thousands of servers running VMware’s ESXi hypervisor — though the lack of sophistication of the attacks could make recovery easier for victims, a security researcher tells CRN.

A Widespread Threat

The “ESXiArgs” ransomware campaign, which targets servers running unpatched versions of the VMware ESXi hypervisor, has now struck thousands of servers across the U.S., Canada and Europe since reports of the attacks first emerged late last week. On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an advisory on the attacks that puts the number of compromised servers worldwide at 3,800. The attacks are exploiting a two-year-old vulnerability that affects older versions of VMware ESXi and is tracked at CVE-2021-21974, according to researchers.

[Related: ‘No Warranty’: ESXiArgs Ransomware Decryptor Is Not To Be Used Lightly]

“Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware,” CISA and the FBI said in the joint advisory. The ESXiArgs ransomware works by encrypting configuration files located on ESXi servers, “potentially rendering virtual machines (VMs) unusable,” the advisory says.

In another indicator of the severity of the situation, CISA took an unusual step for a government agency in releasing a decryptor script that aims to aid recovery from the ESXiArgs ransomware. Ultimately, “from a campaign standpoint, the ESXiArgs campaign seems to be pretty successful,” said Erick Galinkin, principal researcher at cybersecurity firm Rapid7, in an interview with CRN.

According to cybersecurity vendor Wiz, 12 percent of servers running the VMware ESXi hypervisor were…

Source…

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

/in


Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed “End of General Support (EOGS) and/or significantly out-of-date products” continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or “zero-day” flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed “ESXiArgs” is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor’s Open Service Location Protocol (OpenSLP) service.

“With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

Unpatched Systems Again in the Crosshairs

VMware’s confirmation means that the attack by as-yet unknown perpetrators that’s so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

“This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in,” notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It’s a “sad truth” that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and…

Source…

VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks

/in


VMware has urged customers to take action as unpatched ESXi servers continue to be targeted in ESXiArgs ransomware attacks.

Hackers are exploiting CVE-2021-21974, a high-severity ESXi remote code execution vulnerability related to OpenSLP that VMware patched in February 2021. Following successful exploitation, unidentified threat actors have deployed file-encrypting ransomware that targets virtual machines. 

Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now. 

In a blog post published on its Security Response Center on Monday, VMware said there is no evidence that the attacks involve exploitation of a zero-day vulnerability. 

“Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories,” the virtualization giant said. 

Attacks are possible because many organizations are running old and unpatched software.

“I’ve assessed nearly 500 owned boxes this evening, all of them are on old software releases. A shocking amount of orgs run ESXi on long end of life versions,” researcher Kevin Beaumont said on Monday. 

ESXiArgs ransomware attacks appear to have started on or around February 3. As of February 7, Censys shows nearly 2,500 compromised servers and Shodan shows more than 1,600. Most of the hacked systems are located in France, followed by the United States. 

On compromised systems, the hackers drop a ransom note instructing victims to pay roughly $50,000 in bitcoins in order to recover their files and prevent them from getting leaked. While the cybercriminals claim to have stolen data that they will sell unless a ransom is paid, there does not appear to be any evidence to date that files have actually been stolen in ESXiArgs attacks.

As for the malware used in these attacks, it seems to target files associated with virtual machines. 

In some cases, the malware’s encryption routine can partially fail, which could allow some victims to recover their data without…

Source…