Home Security Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern

Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern

by


May 23, 2024NewsroomRansomware / Virtualization

Ransomware attacks targeting VMware ESXi infrastructure following an established pattern regardless of the file-encrypting malware deployed.

“Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse,” cybersecurity firm Sygnia said in a report shared with The Hacker News.

The Israeli company, through its incident response efforts involving various ransomware families like LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat and Cheerscrypt, found that attacks on virtualization environments adhere to similar sequence of actions.

This includes the following steps –

  • Obtaining initial access through phishing attacks, malicious file downloads, and exploitation of known vulnerabilities in internet-facing assets
  • Escalating their privileges to obtain credentials for ESXi hosts or vCenter using brute-force attacks or other methods
  • Validating their access to the virtualization infrastructure and deploying the ransomware
  • Deleting or encrypting backup systems, or in some cases, changing the passwords, to complicate recovery efforts
  • Exfiltrating data to external locations such as Mega.io, Dropbox, or their own hosting services
  • Propagating the ransomware to non-virtualized servers and workstations to widen the scope of the attack

To mitigate the risks posed by such threats, it’s recommended for organizations to ensure adequate monitoring and logging are in place, create robust backup mechanisms, enforce strong authentication measures, and harden the environment, and implement network restrictions to prevent lateral movement.

Cybersecurity

The development as cybersecurity company Rapid7 warned of an ongoing campaign since early March 2024 that employs malicious ads on commonly used search engines to distribute trojanized installers for WinSCP and PuTTY via typosquatted domains and ultimately install ransomware.

These counterfeit installers act as a conduit to drop the Sliver post-exploitation toolkit, which is then used to deliver more payloads, including a Cobalt Strike Beacon that’s leveraged for ransomware deployment.

The activity shares tactical overlaps with prior BlackCat ransomware attacks that have used malvertising as an initial access vector as part of a recurring campaign that delivers the Nitrogen malware.

“The campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions,” security researcher Tyler McGraw said.

Ransomware Attacks

“Successful execution of the malware then provides the threat actor with an elevated foothold and impedes analysis by blurring the intentions of subsequent administrative actions.”

The disclosure also follows the emergence of new ransomware families like Beast, MorLock, Synapse, and Trinity, with the MorLock group extensively going after Russian companies and encrypting files without first exfiltrating them.

“For the restoration of access to data, the [MorLock] attackers demand a considerable ransom, the size of which can be tens and hundreds of millions of rubles,” Group-IB’s Russian offshoot F.A.C.C.T. said.

According to data shared by NCC Group, global ransomware attacks in April 2024 registered a 15% decline from the previous month, dropping from 421 to 356.

Notably, April 2024 also marks an end to LockBit’s eight-month reign as the threat actor with the most victims, highlighting its struggles to stay afloat in the aftermath of a sweeping law enforcement takedown earlier this year.

Cybersecurity

“In a surprising turn of events however, LockBit 3.0 was not the most prominent threat group for the month and had fewer than half of the observed attacks they did in March,” the company said. “Instead, Play was the most active threat group, followed shortly after by Hunters.”

The turbulence in the ransomware scene has been complemented by cyber criminals advertising hidden Virtual Network Computing (hVNC) and remote access services like Pandora and TMChecker that could be utilized for data exfiltration, deploying additional malware, and facilitating ransomware attacks.

“Multiple initial access brokers (IABs) and ransomware operators use [TMChecker] to check available compromised data for the presence of valid credentials to corporate VPN and email accounts,” Resecurity said.

“The concurrent rise of TMChecker is thus significant because it substantially lowers the cost barriers to entry for threat actors looking to obtain high-impact corporate access either for primary exploitation or for sale to other adversaries on the secondary market.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex