After multiple proof-of-concept exploit scripts of VMware RCE new bug were published on GitHub, hackers started mass scanning for vulnerable Internet-exposed servers. The company patched the critical vulnerability already, but thousands of unpatched vCenter servers are still reachable over the Internet. This is a serious problem. It does look like this is the last moment for a safe update. More information about vCenter vulnerability can be found below.
6,700 VMware servers exposed to the critical RCE bug
Thousands of VMware vCenter Server systems are vulnerable to a newly reported critical remote code execution (RCE) flaw – and active scans for vulnerable machines have been detected already.
This new attack can allow hackers to take over unpatched devices and effectively take over companies’ entire networks.
The vulnerability tracked as CVE-2021-21972 impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations. Making matters worse, the exploit for this bug is also a one-line cURL request, which makes it easy even for low-skilled threat actors to automate attacks.
Because of the central role of a vCenter server inside corporate networks, the issue was classified as highly critical (9.8/10 CVSS) and privately reported to VMware, which released official patches yesterday, on February 23, 2021.
As we said earlier, attackers are already scanning for vulnerable vCenter servers connected to the Internet. According to a Shodan query, more than 6,700 VMware vCenter servers are currently connected to the internet. All these systems are now vulnerable to takeover attacks. Multiple proof-of-concept exploit scripts were published on GitHub, including one that can be configured for Windows and Linux targets.
New Silver Sparrow malware infects 30,000 Macs for unknown purpose
A collaboration of Red Canary, Malwarebytes, and VMware Carbon Black, researchers have found a new Mac malware – Silver Sparrow that silently infected thousands of Mac devices for unknown purpose. The malware exhibits unusual properties, including a component explicitly compiled for the new Apple M1 chip.
The malware has infected 29,139 Mac devices across 153 countries, with high volumes in the United States, the United Kingdom, Canada, France, and Germany.
Silver Sparrow has been distributed as two different files named ‘updater.pkg’ [VirusTotal] or ‘update.pkg’ [VirusTotal]. The only difference seen by Red Canary is that the update.pkg includes both an Intel x86_64 and an Apple M1 binary, while the updater.pkg only includes the Intel executable.
Unlike most macOS adware which uses ‘preinstall’ and ‘postinstall’ scripts to execute commands or install further malware, Silver Sparrow utilizes JavaScript to execute its commands. The use of JavaScript produces different telemetry that makes it harder to detect malicious activity based on command line arguments.
Silver Sparrow under observation…
Using JavaScript, SilverSparrow will create shell scripts executed by the malware to communicate with the command and control servers and create LaunchAgent Plist XML files to execute shell scripts periodically.
The LaunchAgent will connect to the threat actor’s command and control server every hour to check for new commands that the malware will execute.
While running, the malware will check for the presence of the ~/Library/._insu file, and if found, will remove itself and all associated files. The researchers have not been able to determine what triggers this kill switch.
After observing the malware for a week, Red Canary researchers could not see further payloads downloaded and triggered by these hourly checks. Thus the malware’s real purpose remains a mystery.
The Intel and Mach-O binaries included with Silver Sparrow seem to be placeholders for an in-development malware as executing them only displays a screen stating ‘Hello World’ or ‘You did it!’.
Following the discovery of this new strain of malware, Apple reacted by revoking the certificates of the developer accounts used to sign the packages. In doing so, it prevents new macOS machines from being infected. An Apple Spokesperson was also keen to point out “there is no evidence to suggest the malware they identified has delivered a malicious payload to infected users.”
Airplane maker Bombardier data posted on ransomware leak site following FTA hack
Canadian airplane manufacturer Bombardier has disclosed a security breach after some of its data was published on a dark web portal operated by the Clop ransomware gang. The breach exposed employee, customer, and supplier data.
An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network
It is believed that the attackers gained access via a zero-day vulnerability in Accellion FTA, a third-party web server used to host and share large files that can’t be sent via email to customers and employees. Later in a press release, Accellion said that 300 of its customers were running FTA servers, 100 got attacked, and that data was stolen from around 25 with Bombardier on the list.
Data shared on the site included design documents for various Bombardier airplanes and plane parts. No personal data was shared, but the airplane maker is most likely livid that some of its private intellectual property is now being offered as a free download on the dark web.
So far on the list was published data of geo-spacial data company Furgo, tech firm Danaher, Singapore’s largest telco Singtel and US law firm Jones Day.
FireEye said that the FTA hacking campaign and the subsequent extortion efforts are carried out by FIN11 – a major cybercrime group that has had its fingers in various forms of cybercrime operations for the past years.
Cybercriminals are exploiting BTC blockchain transactions to hide backup C&C server
Security experts from Akamai have spotted a new cryptomining botnet that abuses Bitcoin blockchain transactions to implement a backup mechanism for C2. This technique allows botnet operators to make their infrastructure resilient to takedown conducted by law enforcement.
Botnet operators used Redis server scanners to find installs that could be compromised to mine cryptocurrencies. The infection chain begins the exploitation of Remote Code Execution (RCE) vulnerabilities affecting Hadoop Yarn, Elasticsearch (CVE-2015-1427), and ThinkPHP (CVE-2019-9082).
In December 2020, the researchers discovered a BTC wallet address that was included in new variants of the miner, along with an URL for a wallet-checking API and bash one-liners. The experts discovered that the wallet data were being fetched by the API and used to calculate an IP address used to maintain persistence.
By fetching addresses via the wallet API, botnet operators are able to obfuscate and backup configuration data on the blockchain. Experts noticed that by pushing a small amount of BTC into the wallet, operators can recover infected systems that have been orphaned.
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. VC giant Sequoia Capital discloses data breach after failed BEC attack (Bleeping Computer)
2. Microsoft Releases Free Tool for Hunting SolarWinds Malware (Dark Reading)
3. Chinese hackers stole another NSA-linked hacking tool, research finds (CyberScoop)
4. Researcher Reports Vulnerability in Apple iCloud Domain (Dark Reading)
5. Heavily used Node.js package has a code injection vulnerability (Bleeping Computer)
6. Powerhouse VPN products can be abused for large-scale DDoS attacks (ZDNet)
7. Gamaredon – When nation-states don’t pay all the bills (Thalos Intelligence)
8. Finnish IT services giant TietoEVRY discloses ransomware attack (Bleeping Computer)
9. Google Chrome rolls back FPS Meter changes after user complaints (Bleeping Computer)
10. 10K Microsoft Email Users Hit in FedEx Phishing Attack (Threat Post)