Search This Blog

Showing posts with label Virtual Machines. Show all posts

Misconfiguration Identified in Google Cloud Platform


A misconfiguration discovered in the Google Cloud Platform could allow threat actors to gain complete control over virtual devices by exploiting legitimate features in the system, researchers at Mitiga, a Cloud Incident Response firm, stated. 

Mitiga uncovered a misconfiguration several months ago while examining Google Cloud Platform’s Compute Engine (GCP), specifically virtual machine (VM) services. The Cloud incident response vendor identified a misconfiguration that allowed attackers to send and receive data from the VM and possibly secure complete control over the system. However, Mitiga emphasizes that this is not a security loophole, or system error – it’s described as a “dangerous functionality”. 

Mitiga notes that malicious actors could use a compromised metadata API, named “getSerialPortOutput”, which is used for the purpose of tracking and reading serial port keys. The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux. 

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," Andrew Johnston, principal consultant at Mitiga, stated. 

After reporting the findings to Google, the company agreed that misconfiguration could be exploited to bypass firewall settings. Mitiga proposed two changes to the getSerialPortOutput function by Google, including restricting its use to only higher-tiered permission roles and allowing organizations to disable any additions or alterations of VM metadata at runtime. 

Additionally, the company advised Google to revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs. However, Google disagreed with a majority of the recommendations. 

"After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," Johnston wrote in the report.

AvosLocker Ransomware New Variant Targets Linux Systems and ESXi Servers


AvosLocker ransomware gang has added AvosLinux in its arsenal for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. However, there are no details available regarding the targeted company or institutions, it is alleged that at least one victim received a $1 million ransom demand. 

A few months ago, the AvosLocker gang was also spotted advertising its latest ransomware variations, Windows Avos2 and AvosLinux, while alerting affiliates against attacking post-soviet/CIS targets. "Out new variants (avos2 / avoslinux) have the best of both worlds to offer: high performance & high amount of encryption compared to its competitors," the gang said.

Upon installation on a Linux system, AvosLocker terminates ESXi machines on the server using the following command: esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | tail -n +2 | awk -F $’,’ ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’ 

Once it starts operating on a compromised device, the ransomware will append the .avoslinux extension to all encrypted files. It also leaves ransom notes asking victims not to shut down the computer to avoid file damage and to visit the TOR site that includes the information about paying the ransom. 

The AvosLocker ransomware-as-a-service was first identified during the summer of 2021 and its attacks surged between November and December. In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode for easier device management and more efficient resource usage. 

By targeting virtual machines, ransomware authors also benefit from easier and faster encryption of multiple servers with a single command. Since October 2021, Hive ransomware has been encrypting Linux and FreeBSD systems with new malware variants, only months after cybersecurity researchers uncovered a REvil ransomware Linux encryptor targeting VMware ESXi virtual machines.

According to Emsisoft CTO Fabian Wosar, multiple ransomware operators including Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, have also designed and used their own Linux encryptors. "The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar explained. 

HelloKitty and BlackMatter ransomware Linux variants were also identified in the wild by security experts in July and August, further validating Wosar's statement. The Snatch and PureLocker ransomware operations have also been observed using Linux encryptors in the past.