Critical VMware vulnerabilities are not the only problem faced by this virtualization software vendor last week. Do you remember the BlackMatter group that proclaimed itself to be the successor of REvil we warned you against in the last issue? It already has an encryption program targeting VMware ESXi. Today we also describe a unique business model of the new LockBit 2.0. and a cyberespionage campaign targeting the largest telecoms. For the sake of balance, we are describing a new project from Microsoft – with “Super Duper Secure Mode” the company wants to change the landscape of exploits and increase the cost of attacks.
Critical VMware vulnerabilities affecting multiple products now patched!
VMware has released security updates for multiple products to address a critical vulnerability. It could be exploited to gain access to confidential information.
Tracked as CVE-2021-22002 (CVSS score: 8.6) and CVE-2021-22003 (CVSS score: 3.7), the flaws affect VMware Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the “/cfg” web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request.
Also addressed by VMware is an information disclosure vulnerability impacting VMware Workspace One Access and Identity Manager through an inadvertently exposed login interface on port 7443. An attacker with network access to this port could potentially stage a brute-force attack, which the firm noted: “may or may not be practical based on lockout policy configuration and password complexity for the target account.”
For customers who cannot upgrade to the latest version, VMware is offering a workaround script for CVE-2021-22002. It can be deployed independently without taking the vRA appliances offline.
It’s not the only problem VMware had last week. Do you remember the BlackMatter ransomware group we warned you against in the previous Security Center issue? Well, last week, researchers from MalwareHunterTeam spotted a Linux ELF64 encryptor for the BlackMatter ransomware gang that was designed to target VMware ESXi servers. So, as we can see, they act pretty fast.
LockBit ransomware recruiting corporate insiders to breach networks
The LockBit 2.0 ransomware gang is actively recruiting corporate insiders who can help them breach and encrypt networks. In return, they promise million-dollar payouts.
RaaS in a nutshell: Many ransomware gangs operate as a Ransomware-as-a-Service (RaaS), which consists of a core crew of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims’ networks and encrypt devices. Then they split ransom payment between the core group and the affiliate, while the affiliate gets usually 70-80%. There is a third side of the coin – in many cases, the affiliates purchase access to networks from pentesters rather than breaching the company themselves.
With LockBit 2.0, the ransomware gang is trying to remove the middle-man and instead recruit insiders to provide them access to a corporate network.
Let us remind you – in June LockBit ransomware operation announced the launch of the new LockBit 2.0. ransomware-as-a-service project. It includes redesigned Tor sites and multiple advanced features, together with automatic encrypting of devices on a network via group policies.
They have also changed the Windows wallpaper that is placed on encrypted devices. Now it offers “millions of dollars” for corporate insiders who provide access to networks where they have an account.
The full text explains that LockBit is looking for RDP, VPN, corporate email credentials that they can then use to gain access to the network. They also say they will send the insider a “virus” that should be executed on a computer, likely to give the ransomware gang remote access to the network.
While this tactic may sound far-fetched, it is not the first time threat actors attempted to recruit an employee to encrypt their company’s network (it happened to Tesla before). So please control what data and privileges your employees have.
Microsoft Edge – ‘Super Duper Secure Mode’ new security feature
Microsoft has announced that the Edge Vulnerability Research team is experimenting with a new feature dubbed “Super Duper Secure Mode” and designed to bring security improvements without significant performance losses.
When enabled, the mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users’ systems.
According to CVE data collected since 2019, around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, More than half of all ‘in the wild’ Chrome exploits abusing JIT bugs.
While JIT compiler is designed to increase performance by compiling computers during program execution (at run time), Microsoft claims that disabling it does not always have negative impacts.
With the JIT engine turned off, it was possible for Edge to turn on protections — such as the hardware-based Control-flow Enforcement Technology (CET) from Intel — that was previously incompatible with JIT.
In the future, Microsoft also wants to add support for Arbitrary Code Guard (ACG) that would prevent loading malicious code into memory, a technique used by most web browser exploits.
While still in the experimental stage, Super Duper Secure Mode is currently available via edge://flags/#edge-enable-super-duper-secure-mode for users of canary, dev, and beta release channels of the browser.
‘DeadRinger’ targeted Exchange Servers via ProxyLogon years before the discovery
Threat actors linked to China exploited the notorious Microsoft Exchange ProxyLogon vulnerabilities long before they were publicly disclosed. They attacked major telecommunications companies aimed at stealing sensitive customer data and maintaining network persistence.
Researchers from Cybereason have been tracking multiple cyberespionage campaigns – collectively dubbed “DeadRinger” – since 2017. According to the initial report, a Chinese threat group dubbed SoftCell was targeting billing servers to steal call records from telecoms in Africa, the Middle East, Europe, and Asia in 2019.
They also identified two groups – Naikon APT and Group-3390 – that also appear to be working for China’s regime to compromise billing servers to steal telco call records as well as maintain persistent access to their networks through other core components.
While these attacks were separate, were also all adaptive, persistent, and evasive, with the attackers dynamically responding to mitigation attempts after having evaded security efforts since at least 2017. They all occurred in the same time frame, attacked the same victims, and were even found on the same endpoints.
Overall, overlaps throughout the three groups “are evidence of a likely connection between the threat actors” indicating that “each group was tasked with parallel objectives in monitoring the communications of specific high-value targets” by central command “aligned with Chinese state interests,” researchers concluded.
Cellular networks are a prime target for nation-states because they provide an excellent steppingstone to many other types of attacks and different targets. Cybereason’s prevailing assessment is that the operations were intended for espionage purposes only. It is true, however, that had the attackers decided to change their objectives from espionage to interference, they would have had the ability to disrupt communications for any – or all – of the affected telecoms’ customers.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
- Decade-old router bug could affect millions of devices (Infosecurity Magazine)
- Microsoft halts Windows 365 trials after running out of servers (Bleeping Computer)
- Raccoon stealer bundles malware, propagates via Google SEO (Threat Post)
- Potential RCE flaw patched in PyPI’s GitHub repository (Security Week)
- Unpatched security flaws expose Mitsubishi safety PLCs to remote attacks (The Hacker News)
- Serious flaws in widespread embedded TCP/IP stack endanger industrial control devices (CSO)
- Google Patches High-Risk Android Security Flaws (Security Week)
- Windows PetitPotam attacks can be blocked using new method (Bleeping Computer)
- Solar market infostealer malware once again making its way into the wild (The Hacker News)
- Over 60 Million Americans Exposed Through Misconfigured Database (Infosecurity Magazine)