Category: VMware

Broadcom Urges VMware Customers to Address Zero-Day Vulnerabilities

Broadcom, a leading American semiconductor company and now the owner of VMware, has issued a critical alert to all virtualization software customers, urging them to take immediate action against discovered zero-day vulnerabilities affecting VMware’s Fusion, Workstation, and ESXi products. These security flaws have the potential to be exploited by cybercriminals, posing a significant risk to systems across the globe.

The alert comes after Microsoft’s Threat Intelligence Center (MSTIC) flagged the vulnerabilities, which could allow attackers to gain administrative privileges and exploit sensitive applications within VMware environments. This breach could potentially provide hackers with full access to vital systems, putting businesses and their data at considerable risk.

VMware has faced its share of challenges in recent years, with various security flaws and data breaches making headlines. While the company has consistently worked to patch these vulnerabilities and mitigate risks, the repeated news coverage about such issues could harm its reputation, particularly in the highly competitive virtualization market.

Despite these setbacks, VMware has remained committed to releasing timely security fixes, which help maintain customer trust and address concerns about product security and privacy. As the company continues to strive for better security practices, stakeholders will be hoping that VMware can avoid making headlines for the wrong reasons in the future.

Microsoft Issues Critical Update on Silk Typhoon Cyber Threat

In a major cybersecurity development, Microsoft has issued an important update regarding the cyber-espionage group known as Silk Typhoon and not Salt Typhoon. This group, believed to be based in China, has been actively targeting the U.S. treasury and telecommunications sectors, successfully infiltrating multiple major telecom companies in North America.

Reports suggest that the group has now expanded its focus, targeting small to mid-sized IT firms that offer cloud applications and IT management tools. Silk Typhoon cyber threat is also shifting its tactics to focus on supply chain vulnerabilities, which could allow it to compromise additional victims through interconnected systems.

The Microsoft Threat Intelligence teams were the first to detect these intrusions and have issued multiple warnings to the public regarding the group’s methods. The attack strategies employed by Silk Typhoon include stealing access keys and credentials, which enable the group to infiltrate networks and launch further exploits. These attacks primarily target applications within the Microsoft ecosystem, including Microsoft Office and other related services, allowing attackers to leverage these tools for malicious purposes.

The group’s targets have largely consisted of IT businesses, especially those providing cloud services, remote monitoring tools, and managed service providers. These organizations are critical to large-scale industries, such as manufacturing, where IT systems control essential machinery. As the cyber-espionage group continues to broaden its scope, businesses across multiple sectors must remain vigilant to the growing threats posed by Silk Typhoon and similar actors.

The post Broadcom issues VMware patch alert and Microsoft Silk Typhoon Cyber Threat appeared first on Cybersecurity Insiders.

Smith Engineering Group Hit by Ransomware Attack

Smith Group Plc, a multinational engineering giant based in Britain, has issued a public statement confirming that it was recently targeted by a ransomware attack. The breach was detected and contained in time by the company’s IT team, preventing any further damage. However, the company is still in the process of investigating the full extent of the attack, including which systems were affected and, crucially, identifying the cybercriminals behind it.

Although the company has yet to formally label the incident as a ransomware attack, it did acknowledge unauthorized access to its internal computer network. Smith Group has pledged to provide more information as its investigation progresses, emphasizing its commitment to transparency and security.

In the wake of the breach, Smith Group’s share value took a significant hit, dropping by 2.3% in early trading. This is a stark reminder that even major multinational corporations like Smith Group are not immune to the disruptive power of cybercrime. While the company is working diligently to minimize the damage, incidents like this can have long-lasting effects on business operations and investor confidence. For smaller companies, such cyber attacks can be financially devastating, sometimes pushing them to the brink of closure. Even for large firms, the ripple effects on reputation, operations, and financial performance can linger long after the immediate crisis is over.

Akira Ransomware Targets VMware ESXi Servers

The notorious Akira ransomware group has resurfaced, this time targeting VMware, a leading provider of virtualization software, by exploiting vulnerabilities in its ESXi server infrastructure. This particular strain of ransomware is uniquely sophisticated, having been developed using the Rust programming language, which allows it to operate seamlessly within Linux environments. The use of Rust makes it harder for traditional cybersecurity measures to detect and neutralize the malware before it spreads.

VMware’s ESXi servers are used globally by thousands of organizations, making them a prime target for cybercriminals. These servers host millions of applications and critical business functions across the globe, so infecting them not only boosts the chances of widespread infection but also increases the likelihood of securing a ransom payout from victims.

The best defense against ransomware attacks of this nature is a robust backup strategy. Relying on secure, offline backups can help organizations restore their data without succumbing to the demands of the attackers. Furthermore, companies should report such incidents to law enforcement agencies, who have the resources and expertise to track down cybercriminals on the dark web and prevent the stolen data from being leaked. Paying the ransom is never recommended, as it doesn’t guarantee the safe return of encrypted files and only fuels the cycle of cybercrime.

New York Blood Center Falls Victim to Ransomware

The New York Blood Center Enterprises (NYBC), a vital healthcare provider responsible for collecting and distributing blood to hospitals across the region, has become the latest victim of a ransomware attack. While the specific cybercriminal group responsible for the attack has not yet been confirmed, reports suggest that the Interlock ransomware gang could be behind the breach.

Ransomware attacks on healthcare organizations are particularly alarming, as they pose a direct threat to patient safety. The encryption of critical systems within hospitals and blood banks can delay or disrupt essential services, potentially jeopardizing lives. In this case, it remains unclear how the attack has affected the NYBC’s operations, but historically, such attacks can lead to significant delays in inventory management and supply chains. With digital systems controlling blood stocks and tracking demand, the attack may cause disruptions that become apparent only days or weeks later.

The repercussions of such an attack could be severe. Not only are these organizations facing potential financial and operational damage, but they also risk becoming targets for future attacks as cybercriminals increasingly see the healthcare sector as a profitable avenue for exploitation.

Conclusion

In summary, these high-profile ransomware attacks serve as a stark reminder of the growing threat posed by cybercriminals across various industries. The scale and sophistication of these attacks are increasing, and the impact on businesses, healthcare providers, and other critical sectors can be devastating. Organizations must take proactive steps to strengthen their cybersecurity measures, including regular backups, employee training, and collaboration with law enforcement agencies to prevent, detect, and mitigate such threats.

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

All these days we have seen hackers targeting Windows and Linux machines. But now they seem to be after the encryption of mass virtual machines by exploiting a vulnerability in VMware ESXi software. Hackers are now exploiting this flaw to encrypt virtual machines on a massive scale.

The vulnerability, identified as CVE-2024-37085, has been rated 7 out of 10 on the severity scale. It serves as a gateway for attackers to gain access to Active Directory and subsequently encrypt virtual machines extensively. This has led to a surge in ransomware attacks and large-scale data exfiltration.

Notable ransomware groups, including Evil Corp, Octo Tempest, Black Basta, and Akira, have previously leveraged ESXi machines in their attacks. However, the current situation is more severe, with hackers increasingly targeting Active Directory systems in bulk.

Broadcom, a major player in enterprise security, has released a fix for this vulnerability. While the company has provided general mitigation advice, including keeping systems updated, enforcing multi-factor authentication, enabling passwordless authentication, and ensuring robust backup and recovery plans, it has not delved deeply into how attackers are compromising ESXi hypervisors.

For context, Broadcom acquired VMware, the virtualization software giant, in May 2022 for $68 billion, with the deal officially closing in November 2023.

It’s also worth noting that in early June 2024, the APT Inc group—formerly known as SE$i ransomware—collaborated with the Play Ransomware group and the notorious automation tool Prolific Puma. This collaboration targeted ESXi environments, leveraging automated domain registration with shortened links for their attacks.

The post VMware vulnerability leads ransomware to encrypt mass virtual machines appeared first on Cybersecurity Insiders.

Recently, a notorious ransomware group previously known as SE#i Ransomware has rebranded itself as APT Inc., setting its sights on VMware ESXi servers worldwide, particularly in corporate environments. This campaign predominantly targets Linux-based systems using the Babuk Encryptor, while Windows environments are hit with the LockBit 3.0 encryptor.

The activity reportedly began in February 2024 but drew significant attention when a Chilean ISP experienced all its VMware servers hosted on IxMetro Powerhost becoming inaccessible due to malware.

Curiously, the malware encrypts only virtual disks, storage, and backed-up images intended for duplication, leaving other operating system files untouched.

A recent Reddit discussion has sparked interest in why the APT Inc. ransomware group focuses exclusively on VMware servers. Among the insights shared, one white hat hacker suggested that vulnerabilities stemming from misconfigurations make VMware servers prime targets for causing substantial damage to hosting data centers. Another user noted the assured rewards for breaching VMware servers as a motivating factor for threat actors.

It’s worth noting that this isn’t the first-time virtualization software has been targeted. Last year, Chinese hackers identified as UNC3886 exploited a zero-day flaw in ESXi servers multiple times to steal sensitive information.

Victims should immediately report to the law enforcement as soon as they are victimized as it helps the authorities to issue an alert to other organizations about the lurking cyber threat and can also provide ample amount of time for the law enforcers to develop a decryption key for sure.

 

The post SEi Ransomware targets VMware ESXi servers as APT Inc appeared first on Cybersecurity Insiders.

Agenda Ransomware targets VMware servers

A recent emergence in the cyber threat landscape has revealed the presence of a new variant of ransomware known as Agenda Ransomware, which has swiftly made its mark by targeting VMware ESXi servers worldwide. This variant, suspected to be a recent addition to the malware arsenal, has been active since 2022, causing concerns among cybersecurity experts.

Previously recognized under monikers such as Qilin or Water Galura, this particular strain of file-encrypting malware has primarily set its sights on servers operating within critical sectors like manufacturing, healthcare, and education. The impact has been felt notably in countries such as Canada, Argentina, the United States, Australia, Columbia, Indonesia, and India.

Findings from a study conducted by Trend Micro shed light on the modus operandi of this malicious software. It exploits Remote Monitoring and Management Tools like Cobalt Strike to infiltrate target systems. Once inside, it meticulously analyzes the infected device before deploying its ransomware payload, particularly focusing on VMware vCenter and ESXi servers.

Security analysts emphasize the critical importance for organizations to remain vigilant in the face of such threats. Key measures include closely monitoring administrative privileges, maintaining up-to-date software patches, conducting regular system scans, and educating employees about emerging cybersecurity risks. Additionally, maintaining secure backup data and implementing proactive measures against social engineering attacks are strongly advised.

It’s imperative to dispel the misconception that malware attacks are confined solely to Windows environments. The reality is that virtual and Linux environments are equally susceptible, as evidenced by the activities of Agenda Ransomware.

Over 17,000 Microsoft Exchange Servers in Germany are vulnerable to Cyber Attacks

According to a statement released by German Federal Office for Information Security (BSI) over 12% of approximately 45,000 Microsoft Exchange Servers are deemed vulnerable to cyber attacks. The BSI has sounded the alarm, attributing this vulnerability to the use of outdated software and hardware lacking support for the past 8-10 years.

The root cause of this vulnerability trend lies in the absence of software security updates for these servers, many of which are nearing obsolescence. While the responsibility lies with software companies to issue security patches, the onus also falls on individuals and organizations to deploy these updates within their environments. While auto-updates offer a convenient solution, some administrators opt for manual updating procedures due to security concerns.

The post Agenda Ransomware Targeting VMware and 17k Microsoft Exchange servers vulnerable to cyber attacks appeared first on Cybersecurity Insiders.

VMware has recently made headlines on Google News due to ransomware attacks targeting the company. This development has left its customers feeling uneasy and prompted them to search for alternative products that are more secure.

The increasing licensing costs have only intensified the quest for alternative virtualization software. Customers are now grappling with the perception that the expenses associated with VMware outweigh the benefits. In fact, a staggering 77% of respondents have expressed reservations about entering into future agreements with the software giant.

VergeIO, a company that has dedicated resources to investigating the impact of rising costs associated with VMware software, has revealed in its report that renewal quotes and licensing agreements based on a “Per-Core” model are expected to decline in the coming year. The growing expenditure on this software is causing additional strain on annual IT budgets.

Remarkably, the quality of customer support provided by VMware has also come under scrutiny, with 66% of users expressing dissatisfaction with the current technical support. They feel that the service levels offered by customer support leave much to be desired.

Furthermore, a significant 70% of survey participants admitted that the rising costs were anticipated, especially after VMware officially announced its acquisition by Broadcom in April 2022.

Now, the burning question is whether VMware customers can swiftly find a suitable replacement.

Unfortunately, it’s not that simple. The Palo Alto-based company offers computer software compatible with MS Windows, Linux, and MacOS that is renowned for its excellence and compatibility with in-house hardware. This reputation persists even after VMware garnered attention for the Log4shell vulnerability, which was exploited by the Lazarus hacking group early this year.

The post VMware customers anxious about ransomware threats appeared first on Cybersecurity Insiders.

The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.

The 8Base ransomware group’s victim shaming website on the darknet.

8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.

The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).

However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:

The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.

That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.

But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.

For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).

This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”

“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”

The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)

The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”

The login page on the 8Base ransomware group’s darknet website.

Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.

It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.

The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.

Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.

“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”

Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted the image he’d shared. However, KrebsOnSecurity captured a copy of it before it was removed:

A screenshot of Mr. Kolev’s current projects that he quickly deleted.

Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:

Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.

Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.

The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.

“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” Steve said.

A recent blog post from VMware called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.

“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” VMware researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”

According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.

“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”