Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the accelerated-mobile-pages domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Deprecated: Optional parameter $options declared before required parameter $ad is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/advanced-ads/classes/display-conditions.php on line 208

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-digital-downloads domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd_cfm domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edds domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Deprecated: Optional parameter $params declared before required parameter $secretWord is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/edd-2checkout/sdk/lib/Twocheckout/TwocheckoutReturn.php on line 6

Deprecated: Optional parameter $insMessage declared before required parameter $secretWord is implicitly treated as a required parameter in /www/cisomagcom_810/public/wp-content/plugins/edd-2checkout/sdk/lib/Twocheckout/TwocheckoutNotification.php on line 6

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the edd-recurring domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the Newsmag domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /www/cisomagcom_810/public/wp-includes/functions.php on line 6121

Warning: Cannot modify header information - headers already sent by (output started at /www/cisomagcom_810/public/wp-includes/functions.php:6121) in /www/cisomagcom_810/public/wp-content/themes/Newsmag/functions.php on line 616

Warning: Cannot modify header information - headers already sent by (output started at /www/cisomagcom_810/public/wp-includes/functions.php:6121) in /www/cisomagcom_810/public/wp-includes/feed-rss2.php on line 8
VMWare vulnerabilities Archives - CISO MAG | Cyber Security Magazine Beyond Cyber Security Wed, 03 Feb 2021 13:55:03 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.1 Ransomware Operators Exploit 2 CVEs in VMWare ESXi https://staging-cisomagcom.kinsta.cloud/vmware-esxi-vulnerabilities-exploited/ Wed, 03 Feb 2021 13:55:03 +0000 https://staging-cisomagcom.kinsta.cloud/?p=9844 Ransomware gangs are evolving every day. The latest trend suggests that they are after the backup servers or machines that contain backed up data. Why? Because once these are compromised, their victims have no option but to pay the ransom. With a purview of this trend, ransomware operators are said to be exploiting two previously […]

The post Ransomware Operators Exploit 2 CVEs in VMWare ESXi appeared first on CISO MAG | Cyber Security Magazine.

]]> Ransomware gangs are evolving every day. The latest trend suggests that they are after the backup servers or machines that contain backed up data. Why? Because once these are compromised, their victims have no option but to pay the ransom. With a purview of this trend, ransomware operators are said to be exploiting two previously known vulnerabilities in VMWare ESXi logged under CVE-2019-5544 and CVE-2020-3992 to target their victims’ virtual hard disks.

The Two VMWare ESXi Vulnerabilities

In October 2020, a Reddit user reported a ransomware attack that encrypted nearly 200 virtual machines (VMs) at the datastore level in which a ransom note was found at the root of the datastores. The user further stated that since the VMWare ESXi management was not segregated from the VMs, and hence the attackers successfully encrypted the VMs.

Related News:

VMware Adds New Edge to its SASE Capabilities

Fast forward to January 2020. Another Reddit user found astounding evidence of Brazil’s Superior Justice Tribunal (SJT) being hit by a similar ransomware attack encrypting nearly 1,000 VMs with the exact ransom note. The sophistication of the attack was such that the attackers even went after disk backups. However, some old school tape backups remained untouched and saved the day for many.

On analyzing these attacks, researchers observed that in both the instances, the attackers used CVE-2019-5544 and CVE-2020-3992 vulnerabilities in VMware ESXi. ESXi is a solution that allows multiple virtual machines to share the same hard drive storage.

Dissecting the ESXi Ransomware Attack

The chronology of the ESXi ransomware attack:

  1. The attackers sent phishing emails to the target organization’s employees/users, of which three unknowingly fell prey by clicking and installing a Trojan.
  2. The attackers then escalated the privileges using CVE-2020-1472. The workstations had anti-virus protection, which at the time did not have this Trojan’s signature (it was released a few days later).
  3. The attackers gained access to hosts that had access to ESXi’s management subnet, as they already had Active Directory (AD) admin privileges.
  4. Without having to compromise vCenter, they were able to run arbitrary code on the ESXi hosts using CVE-2019-5544  or CVE-2020-3992.
  5. This led to the creation of an executable file (written in Python language) on ESXi hosts, which encrypted all the VMs.

Kaspersky, which named it as RansomEXX Trojan, gave a proof-of-concept of how this Trojan works. Click here for more info.

Remedial Measures

Researchers have found the following MD5 signatures in the attacks carried out, which all security teams need to note:

MD5 (svc-new/svc-new) = 4bb2f87100fca40bfbb102e48ef43e65MD5 (notepad.exe) = 80cfb7904e934182d512daa4fe0abbfbSHA1 (svc-new/svc-new) = 3bf79cc3ed82edd6bfe1950b7612a20853e28b0SHA1 (notepad.exe) = 9df15f471083698b818575c381e49c914dee69de

P.S.: svc-new/svc-new, a python script, was found inside the ESXi hosts, and the notepad.exe was found on the encrypted Windows servers.

But what if we told you that this ransomware can be avoided in the first place. Here are some suggestions:

  • Disable the VMware CIM Server (It is enabled by default).
  • Apply least privileges on your Active Directory administration.
  • Segregate Admin and Domain admin accounts on Active Directory.
  • Establish a Group Policy Object (GPO) set to log out users on inactivity instead of disconnecting them on remote desktop servers.
  • Keep and monitor audit trails of Domain Admin accounts.
  • Review backup routines. Have a master backup if possible and make sure they are segregated from regular backup. Even better, maintain an offsite read-only backup to make sure recovery is possible.
  • Constitute an isolated network for ESXi/vCenter, which needs to have its access audited, using a jump server.
  • Maintain IP access controls vCenter and ESXi.
  • Remove vCenter Active Directory integration and maintain distinct passwords.
  • Disable SSH on all ESXi hosts as a precautionary measure.
  • Implement usage of canary files monitored by a SIEM.
  • Use 2FA wherever possible, especially on admin accounts and high-priority accounts.
  • Patch Windows Servers, workstations, ESXi servers, backup servers, vCenter frequently. Review failed patch reports and report immediately to the said service provider to assure all functions are up to date.

Related News:

VMware Adds New Edge to its SASE Capabilities

The post Ransomware Operators Exploit 2 CVEs in VMWare ESXi appeared first on CISO MAG | Cyber Security Magazine.

]]>