VMware ESXi flaws abused in the wild

Researchers have warned of two VMware ESXi hypervisor flaws which allow ransomware groups encrypt virtual hard drives. Hackers have been launching attacks since October 2020. There is more technical details below.

Cybercriminals abuse two VMware ESXi flaws to encrypt virtual hard disks

At least one major ransomware gang is abusing vulnerabilities in the VMware ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.

Evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992. Both bugs impact the Service Location Protocol (SLP), a protocol used by devices on the same network to discover each other; also included with ESXi.

The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it, even if the attacker has not managed to compromise the VMware vCenter server to which the ESXi instances usually report to.

Past attacks have been linked to the criminal group that deploys the RansomExx ransomware. The RansomExx gang has been seen gaining access to a device on a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks, used to store data from across virtual machines, causing massive disruptions to companies, as ESXi virtual disks are usually used to centralize data from multiple other systems.

System administrators at companies that rely on VMware ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn’t needed.


Baron Samedit Sudo vulnerability affects also Apple and Cisco products

Apple’s macOS Big Sur operating system and multiple Cisco products are also affected by the new major sudo vulnerability – tracked as CVE-2021-3156 and referred to as Baron Samedit. The newest sudo vulnerability causes a heap-based buffer overflow that can be exploited by unprivileged users to gain root privileges on the vulnerable host (read more here). 

Apple OS vulnerable 

Researchers at cybersecurity firm Qualys, who discovered the bug, only tested it on several Linux distributions. According to Hacker House co-founder Matthew Hickey, Apple’s macOS Big Sur is one of the affected operating systems.

“CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one’s privileges to 1337 uid=0,” he said on Twitter.

Apple last week issued patches for more than 60 vulnerabilities in macOS Big Sur, Catalina, and Mojave, but none of these addresses the bug in Sudo.

Cisco products are also affected

Cisco security team is currently investigating which of its products are affected by the Baron Samedit vulnerability. Up to this date, several have been confirmed to be impacted. Specifically, the issue affects Firepower Threat Defense (FTD), Prime Collaboration Provisioning, Prime Service Catalog Virtual Appliance, Smart Software Manager On-Prem, Nexus 3000 series switches, Nexus 9000 series switches in standalone NX-OS mode, and Paging Server (InformaCast).

There are no indicators that the Sudo vulnerability is being exploited in live attacks, but users are advised to apply patches for it as soon as they become available for their products.


New ‘Hildegard’ Malware Targets Kubernetes Systems

The hacking group referred to as TeamTNT has been employing a new piece of malware in a recently started campaign targeting Kubernetes environments. Not for the first time – in September 2020 we have warned you about their campaign using legit tool Weave Scope to take over Docker and Kubernetes platforms. 

In a brand new campaign that started in January 2021, but which appears to be only in its early stages, the hacking group has targeted Kubernetes environments with a piece of malware called Hildegard, which is both stealthy and persistent. The malware establishes a connection with its command and control (C&C) server via a tmate reverse shell and an Internet Relay Chat (IRC) channel, disguises the malicious process using the bioset Linux process, hides malicious processes using library injection, and encrypts the malicious payload to hinder analysis.

As part of the observed attacks, once the Kubernetes cluster was compromised, the hackers attempted to spread to additional containers, with the final purpose of the attacks being cryptojacking. However, no new activity has been identified since the initial detection.

The malware might also be leveraged for the exfiltration of sensitive data from the applications running in the targeted environments. Attackers can also manually perform additional reconnaissance and operations.

The campaign employs tools and domains observed in previous TeamTNT attacks, but the code base and infrastructure appear incomplete, suggesting that the campaign is still under development. Most of the infrastructure is only one month old and some scripts are being frequently updated. However  this campaign seems to be one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far.

In this complex attack, threat actors are leveraging a combination of Kubernetes misconfigurations and known vulnerabilities. DevOps and IT teams must coordinate with to prioritize remediation especially for external-facing assets and high-risk vulnerabilities.


Crypto Crook Hired Steven Seagal to Promote Scam, Now Faces Charges

Feds charged a California-based private detective for stealing $11M from investors, with help from actor Steven Seagal.

Hundreds of investors in a fake cryptocurrency scam were bilked out of $11 million by John DeMarr, who advised them to invest in fake cryptocurrency “Bitcoiin”. Instead he took their money and spent it on a Porsche, jewelry and upgrades to his home…

He even hired Steven Seagal to promote his company, also known as  “Bitcoiin2Gen” or “B2G”. Actor was charged with unlawfully touting digital asset offering and failing to disclose payments he received for promoting and initial coin offering (ICO) conducted by B2G. He was ordered last year to pay a $157,000 penalty, without admitting to any crimes.

DeMarr, on the other hand, is in custody and made his first appearance in court on Feb. 1 to face one charge of conspiracy to commit securities fraud. 

DeMarr is alleged to have promised victims 8,000-percent returns on their investment within the first year, the complaint said, and generated fake press releases, white papers and account statements to keep the scam going. When investors finally came looking for their money, DeMarr reportedly faked his own disappearance, asking others to lie and say he was assaulted and kidnapped in Montenegro. 

Mr. DeMarr created an elaborate cryptocurrency scheme, complete with high-profile endorsements and incredibly large returns that proved to be a mirage costing investors millions

The FBI said this prosecution should serve as a warning to other would-be crypto-crooks.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Interview with a LockBit ransomware operator (Talos Intelligence)
2. Android devices ensnared in DDoS botnet (ZDNet)
3. New Fonix ransomware decryptor can recover victim’s files for free (Bleeping Computer)
4. This Linux malware is hijacking supercomputers across the globe (ZDNet)
5. Google patches an actively exploited Chrome zero-day (ZDNet)
6. Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months (Threat Post)
7. Second SolarWinds Attack Group Breaks into USDA Payroll – Report (Threat Post)
8. Cyberpunk 2077 Exploit Allows Malicious Actors to Gain Control of Gamers PCs (Hot for Security)
9. Nespresso smart cards can be exploited for unlimited coffee (Hack Read)
10. Hackers are exploiting a critical zero-day in devices from SonicWall (Ars Technica)