Search This Blog

Showing posts with label VMware. Show all posts

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




This New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers

 

RedAlert (aka N13V), a new ransomware threat that encrypts both Windows and Linux VMWare ESXi systems, has been discovered. Concerning the RedAlert ransomware, MalwareHunterTeam uncovered the new ransomware and published various screenshots of its data leak site. Because of a string in the ransom text, the ransomware is known as RedAlert. 

However, the attackers are internally referring to their operation as N13V in the Linux encrypter version. The Linux encryptor is intended for use on VMware ESXi servers, including command-line options that enable attackers to shut down any operating virtual machines before locking data. 

RedAlert, like other enterprise-targeted ransomware operations, conducts double-extortion attacks in which data is taken and then ransomware is used to encrypt machines. The ransomware exclusively targets VMware ESXi virtual machine data, such as memory files, log files, virtual discs, and swap files. 

The ransomware encrypts certain file formats and appends the extension.crypt658 to the file names. The ransomware produces a specific ransom note entitled HOW TO RESTORE in each folder, which includes a description of the stolen data and a link to a TOR ransom payment site. One of RedAlert/features N13V's is the '-x' command-line option, which performs asymmetric cryptography performance testing with various NTRUEncrypt parameter sets. 

During encryption, the ransomware employs the NTRUEncrypt public-key encryption method, which supports several 'Parameter Sets' with varying degrees of protection. Aside from RedAlert, the only other ransomware known to use this form of encryption is FiveHands.  

RedAlert currently lists only one organisation as a victim, however, this may change in the near future. Furthermore, the malware's compatibility for both Windows and Linux shows that it intends to target a broader attack surface. As a result, enterprises should keep an eye on this threat. Always use encryption and access controls to safeguard critical information.

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Conti Ransomware Exploits Log4j Flaw to Hack VMware vCenter Servers

 

The critical Log4Shell exploit is being used by the Conti ransomware operation to obtain quick access to internal VMware vCenter Server instances and encrypt virtual machines. The group wasted no time in adopting the new attack vector, becoming the first "top-tier" operation to exploit the Log4j flaw. 

On December 9, a proof-of-concept (PoC) exploit for CVE-2021-44228, also known as Log4Shell, was made public. A day later, numerous actors began scanning the internet in search of vulnerable systems. Cryptocurrency miners, botnets, and a new ransomware strain called Khonsari were among the first to leverage the flaw. 

By December 15, state-backed hackers and initial access brokers, who sell network access to ransomware gangs, had joined the list of threat actors using Log4Shell. Conti, one of today's largest and most prolific ransomware groups with tens of full-time members, seems to have developed an early interest in Log4Shell, viewing it as a potential attack channel on Sunday, December 12. 

The group began seeking fresh victims the next day, with the intention of lateral migration to VMware vCenter networks, as per Advanced Intelligence (AdvIntel), a cybercrime and hostile disruption firm. Log4Shell has impacted dozens of vendors, who have rushed to patch their products or provide workarounds and mitigations for customers. VMware is one among them, with 40 products listed as vulnerable. 

While the firm has suggested mitigations or fixes, a patch for the affected vCenter versions has yet to be released. Although vCenter servers are not generally accessible to the internet, there are a few scenarios in which an attacker may exploit the flaw.

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” – Vmware 

Log4Shell to move laterally 

"This is the first time this vulnerability entered the radar of a major ransomware group," according to a report shared with BleepingComputer. 

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel 

While most defenders are aimed at stopping Log4Shell attacks on Internet-connected devices, the Conti ransomware operation demonstrates how the vulnerability can be leveraged to attack internal systems that aren't as well-protected. 

Conti ransomware affiliates had already invaded the target networks and exploited vulnerable Log4j machines to obtain access to vCenter servers, according to the researchers. This indicates that Conti ransomware members used a different initial access vector to infect a network (RDP, VPN, email phishing) and are now utilising Log4Shell to move laterally on the network. 

Conti, the successor to the notorious Ryuk ransomware, is a Russian-speaking group that has been in the ransomware business for a long time. Hundreds of attacks have been carried out by the group, with its data leak site alone reporting over 600 victim firms who did not pay a ransom. Other firms who paid the actor to have their data decrypted are also included. The group has extorted more than $150 million from its victims in the last six months, according to AdvIntel.

VMware Patched SSRF& Arbitrary File Read Flaws in vCenter Server

 

VMware has published security upgrades for the vCenter Server after addressing arbitrary file read and server-side request forgery (SSRF) vulnerabilities in the vSphere Web Client (FLEX/Flash).

A VMWare security alert was released on November 23 and the US Cybersecurity and Infrastructure Security Agency (CISA) also encouraged enterprises to use vulnerable instances of the server management platform to deploy required upgrades. 

In terms of severity, both flaws were labelled as 'important.' The most serious, with a CVSS rating of 7.5, is the arbitrary file read flaw (CVE-2021-21980), which if exploited might allow a nefarious attacker to get access to sensitive data. The SSRF vulnerability (CVE-2021-22049) was discovered in the vSAN Web Client (vSAN UI) plugin, with a CVSS of 6.5. An attacker might take advantage of this vulnerability by gaining access to an internal service or making a URL request from outside of the vCenter Server. 

VMware has released security updates for vCenter Server versions 6.5 and 6.7 that address both vulnerabilities. The issues do not impact the 7.x release line, which cannot utilise vSphere Web Client (FLEX/Flash).Cloud Foundation's 3.x release line is still waiting for patches for both problems, whereas 4.x is untouched. 

VMware acknowledged Orz lab's 'ch0wn' for disclosing the arbitrary file read issue and the QI-ANXIN Group's'magiczero for reporting the SSRF. As per Statista, three of the top five server virtualization systems with the largest market share are VMware platforms, with vSphere leading the pack and vCenter Server ranking fifth. 

VMware's dominance in the server virtualization market, along with many organisations' latency to implement upgrades, has made its systems great targets for skilled attackers. The Daily Swig revealed in September that another significant arbitrary file upload flaw in the vCenter Server was being exploited. 

In June, it was revealed that thousands of vCenter Server instances remained unpatched for three weeks after a pair of serious issues in the vSphere Client (HTML5) were discovered.

Attackers use Python Ransomware to Encrypt VMware ESXi Servers

 

Researchers uncovered a new Python ransomware from an unnamed gang that attacks ESXi servers and virtual machines (VMs) with "sniper-like" speed. Sophos stated on Tuesday that the ransomware is being used to infiltrate and encrypt virtual machines housed on an ESXi hypervisor in operations that take less than three hours from start to finish. 

In a press release accompanying his in-depth report, Andrew Brandt, principal researcher at Sophos, said, “This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform.” 

The Python coding language is rarely used for ransomware, according to Brandt. But, he continued, its use makes sense because Python comes pre-installed on Linux-based systems like ESXi, allowing Python-based attacks on these systems. 

The assault used a custom Python script that, when run on the target organization's virtual machine hypervisor, put all virtual machines offline. According to Sophos' security analysts, the attackers were swift to deploy the ransomware, the encryption process began about three hours after the initial intrusion. 

The attackers gained initial access using a TeamViewer account that did not have multi-factor authentication enabled and was running in the background on a computer owned by a user with Domain Administrator credentials. According to Sophos, the attackers logged in 30 minutes after midnight in the organization's time zone, then downloaded and used a tool to discover targets on the network, which led them to a VMware ESXi server. 

At roughly 2 a.m., the attackers used the built-in SSH service ESXi Shell to get into the server, which can be enabled on ESXi servers for administration purposes. The attackers logged into the ESXi Shell three hours after the network was first scanned, copied the Python script, and then ran it for each datastore disc volume, encrypting the virtual disc and settings files for virtual machines. 

“The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where they can customize the file suffix that gets appended to encrypted files,” Brandt wrote.

Sophos investigators discovered several, hardcoded encryption keys as well as a method for creating even more encryption key pairs when traversing through the code. Normally, an attacker would just need to insert the attacker's own 'public key,' which would be used to encrypt files on the targeted computer(s), according to Brandt. However, it appears that each time this ransomware is launched, it generates a new key.

VMware Patches Authentication Bypass in Carbon Black App Control

 

VMware, the California-based cloud computing and virtualization technology firm has patched an authentication bypass vulnerability in its Carbon Black App Control (AppC) management server. According to VMware’s advisory, the authentication-bypass vulnerability affected AppC versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x. 

The flaw tracked as CVE-2021-21998, falls into a highly critical range with a maximum CVSSv3 base score of 9.4 out of 10.A malicious actor with network access to the VMware Carbon Black App Control management server might be able to gain administrative privileges to the application without the need to authenticate, VMware explained. 

However, even if the attacker doesn’t need valid credentials for the target application, they would still have to first gain network access to the VMware Carbon Black App Control management server for the attack to succeed, VMware explains in an advisory.

AppC is designed to strengthen the security of servers and to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC. 

Besides the authentication-bypass patch, VMware also patched a local privilege escalation flaw affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes that could allow an attacker to implement arbitrary code on compromised systems. 

At this point, the flaw doesn’t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, CVE-2021-21999, is a local privilege-escalation vulnerability.

"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges," VMware noted. 

The flaw in AppC is only the latest severe problem that VMware has patched. In February, VMware fixed three bugs in its virtual machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to discover other vulnerable points of network entry to take over affected systems.

VMware Becomes New Target of FreakOut Malware

 

A new dangerous "Freakout" alias malware campaign has just targeted unpatched Linux workstations that handle Network Attached Storage (NAS) and run some PHP- and Java-listed Web application frameworks. 

FreakOut Botnet reappeared for the first time in November 2020 with a fresh range of attacks in January 2021. This malware targets the data storage units of TerraMaster and the web apps built on top of the Zend PHP framework along with the websites running the Liferay portal content management system. 

This Pythons-based multi-platform malware that has previously targeted Windows and Linux systems has been updated to make it to internet-exposed VMware vCenter servers that are unpatched against a vulnerability in remote code execution. 

This vulnerability in the VMware vCenter plug-in (CVE-2021-21972) for vRealize Operations (vROps) is very noteworthy since it affects the standard installation of the vCenter Server. As revealed by Shodan and BinaryEdge, thousands of unpatched vCenter servers are currently accessible via the Internet. 

FreakOut spreads to an IRC botnet managed by masters, exploiting a widespread variety of OS and apps vulnerabilities and demanding passwords over SSH. The key malware features allow operators to launch DDoS attacks, backdoor affected devices, network traffic sniff and steal data, and deploy XMRig miners to mine for Monero. 

"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notable vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. 

While the programmers of FreakOut are striving since early May to move a step forward in the malware spreading capabilities, when the activity of the botnet unexpectedly skyrocketed, to improve virus spreads. 

FreakOut bots scan for new systems, either by generating network ranges arbitrarily or by using the instructions of its masters which are communicated to IRC via the control server. The bot tries to use one of the integrated vulnerabilities or log in to a hard-coded list of SSH passwords for every IP address in the lists of scans. 

VMware vulnerabilities in ransomware attacks on business networks were also exploited in the past. As disclosed by Cisco Talos, FreakOut operators also showed that they have been constantly experimenting with different malicious loads using bespoke ransomware. 

"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems," Svajcer added. 

"Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems."

The VMware Carbon Black Cloud Workload Patched a Vulnerability

 

The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.