REvil got a new target – ESXi VMs / PrintNightmare / Critical bug in NETGEAR routers

Welcome to the Xopero Security Center. Do you remember Dell’s and WD My Book NAS’ stories from last week? Can today’s topics beat them? Let’s find out. There is a new and disturbing trend in the cybercriminal world. More and more hacker groups are migrating towards ESXi virtual machines. Now also REvil operators have prepared a Linux encryptor that is able to encrypt virtual resources. A new PoC exploit also made its (accidentally) debut on the internet. PrintNightmare, the new critical Windows RCE, runs at the highest privilege level. This means that it is capable to dynamically load third-party binaries. As you can see, the problem is quite serious. There has also been a discussion about the critical vulnerabilities in NETGEAR routers which could be reliably abused as a jumping-off point to compromise a network’s security and gain unfettered access. We also have some bad news for LinkedIn users – a new database with 700 million records has just hit the black market. Details can be found below.

REvil ransomware’s new Linux encryptor targets ESXi virtual machines

REvil ransomware group is using a Linux encryptor that targets and encrypts VMware ESXi virtual machines. But there are not the only ones. Operators such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines.

With so many enterprise companies moving to virtual machines for easier backups, device management, and efficient use of resources, it’s no wonder that so many ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs. 

The newest REvil ransomware Linux variant is an ELF64 executable and includes the same configuration options utilized by the more common Windows executable. This is the first known time the Linux variant has been publicly available since it was released.

When executed on a server, a threat actor can specify the path to encrypt and enable a silent mode. Later, when executed on ESXi servers, it will run the esxcli command line tool to list all running ESXi virtual machines and terminate them. A specially crafted command is used to close the virtual machine disk (VMDK) files stored in the /vmfs/ folder so that the REvil ransomware malware can encrypt the files without them being locked by ESXi.

More problems on the horizon…

If a virtual machine is not correctly closed before encrypting its file, it could lead to data corruption. Then even a decryptor provided by the ransomware group is not going to work properly. But that’s the victim problem and the admin who will have to face it… eventually.


PrintNightmare, a new critical Windows RCE which got accidental PoC exploit leak

A proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down.

The Print Spooler vulnerability identified as CVE-2021-1675, could grant remote attackers full control of vulnerable systems. The program manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing. That is why the flaw is so concerning – the Print Spooler commands run at the highest privilege level and can dynamically load third-party binaries.

A codename “PrintNightmare”

The Windows maker addressed the vulnerability as part of its Patch Tuesday update on June 8, 2021. But almost two weeks later, Microsoft revised the flaw’s impact from an elevation of privilege to remote code execution (RCE) as well as upgraded the severity level from Important to Critical. During this time, a Hong Kong-based cybersecurity company Sangfor published deep-dive of the vulnerability, along with a fully working PoC code to GitHub, where it remained publicly accessible before it was taken offline a few hours later.

The successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. But it’s possible that the fix released by Microsoft in June does not completely remediate the root cause of the bug, raising the possibility that it’s a zero-day flaw in need of a patch. Based on this last information we also recommend administrators disable the Windows Print spooler service in Domain Controllers and systems that do not print.


Microsoft discloses critical bugs allowing NETGEAR routers takeover 

Microsoft discovered critical security vulnerabilities affecting NETGEAR routers, which could be reliably abused as a jumping-off point to compromise a network’s security and gain unfettered access.

The security flaws impact DGN2200v1 series routers running firmware versions before v1.0.0.60 and compatible with all major DSL Internet service providers.

They allow unauthenticated attackers to access unpatched routers’ management pages via authentication bypass, gain access to secrets stored on the device and derive saved router credentials using a cryptographic side-channel attack.

Furthermore, by abusing the aforementioned authentication bypass to fetch the configuration file, the researchers found that the credentials were encrypted using a constant key, which can be subsequently used to retrieve the plaintext password and the user name.

The security issues were discovered by Microsoft’s researchers while reviewing Microsoft Defender for Endpoint’s new device discovery fingerprinting capabilities after noticing that a DGN2200v1 router’s management port was being accessed by another device on the network.

NETGEAR has fixed the vulnerabilities, with CVSS base scores ranging from high to critical severity, and has published a security advisory with additional details in December.

To download and install the patched firmware for your NETGEAR router, you have to 

  1. Visit NETGEAR support webpage
  2. Start typing your model number in the search box, then select your model as it appears or select a product category to browse for your product model.
  3. Click Downloads
  4. From Current Versions select the download with a title beginning with Firmware Version.
  5. Confirm Download
  6. Follow the further instructions and install the new firmware. 

Sources 1 | 2

Data for 700M LinkedIn users posted for sale on hacker forum

Ups, it happened again. First, in April 500 million Linkedin enthusiasts were affected in a data-scraping incident. Now, a new posting with 700 million Linkedin records has appeared on a popular hacker forum. 

Analysts from Privacy Sharks stumbled across the data put up for sale on RaidForums by a hacker calling himself “GOD User TomLiner.” The advertisement, posted June 22, claims that 700 million records are included in the cache, and included a sample of 1 million records as “proof.”

The records include full names, gender, email addresses, phone numbers, and industry information. It’s unclear what the origin of the data is – but the scraping of public profiles is a likely source. That was the engine behind the collection of 500 million LinkedIn records that went up for sale in April.

There are 200 million more records available in the collection this time around, so it’s probable that new data has been scrapped and that it’s more than a rehash of the previous group of records, researchers added.

According to LinkedIn, no breach of its networks has occurred this time, either. However, they are still investigating this issue. 

The good news is that credit card data, private message contents, and other sensitive information is not a part of the incident. However, with details such as email addresses and phone numbers made available, LinkedIn users could become the target of spam campaigns, or worse still, victims of identity theft. There are also potential brute-force attacks to be concerned about. And finally, the data could be a social-engineering goldmine.

Linkedin users should be cautious and suspicious of any questionable messages or actions. Also, they should update Linkedin passwords and enable two-factor authentication. 


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Mercedes Benz Data Leak Includes Card and Social Security Details (Infosecurity Magazine)
2. The builder for Babuk Locker ransomware was leaked online (Security Affairs)
3. Microsoft successfully hit by dependency hijacking again (Bleeping Computer
4. NVIDIA Patches high-severity GeForce spoof-attack bug (Threat Post)
5. Details of RCE bug in Adobe Experience Manager revealed (Threat Post)
6. SolarWinds hackers remained hidden in Denmark’s central bank for months (Security Affairs)
7. Salvation Army hit by ransomware attack(Infosecurity)
8. Trickbot cybercrime group linked to new Diavol ransomware (Bleeping Computer)
9. GitHub unveils AI tool to speed development, but beware insecure code (Dark Reading)
10. Lorenz ransomware victims can now recover files with this free decryption tool (ZDNet)