April 30 2023

Linux version of RTM Locker ransomware targets VMware ESXi servers

Description

RTM Locker is a ransomware operation targeting enterprises, deploying a Linux encryptor to attack VMware ESXi servers. The group, known as the “Read The Manual” gang, has a history of financial fraud and distributes a custom banking trojan. Their Linux encryptor terminates running virtual machines and encrypts associated files. Encryption relies on secure algorithms, with no available decryptors. Encrypted files receive a .RTM extension, and ransom notes demand contact via Tox for payment negotiations. RTM Locker previously used TOR sites but shifted to TOX for communication. This ESXi-targeting version poses a significant threat to enterprises. The group has launched a Ransomware-as-a-Service (RaaS) operation, recruiting affiliates from the Conti cybercrime syndicate. Uptycs analyzed the Linux variant based on leaked Babuk ransomware code. Strong encryption, based on random number generation and elliptic curve Diffie-Hellman, is employed. The process shows the group’s organizational maturity. Enhanced security measures are necessary to combat this evolving threat.

Infected Technology

VMware ESXi server

Source

https://www.bleepingcomputer.com/news/security/linux-version-of-rtm-locker-ransomware-targets-vmware-esxi-servers/

Recommendation

• Keep systems and software updated.
• Implement strong access controls and least privilege principles.
• Use network segmentation to separate critical systems.
• Regularly back up data and test the restoration process.
• Deploy behavior-based monitoring for detecting ransomware activity.
• Provide security awareness training to employees.
• Develop and test an incident response plan.
• Enable logging and monitoring of ESXi servers and virtual machines.

Vulnerable Veeam backup servers are exposed online by hackers

Description

Hackers are targeting Veeam backup servers that have vulnerabilities and are accessible online. They are known to work with multiple high-profile ransomware gangs and have been using malicious activity and tools that resemble FIN7 attacks since March 28. This is less than a week after an exploit was released for a high-severity vulnerability in the Veeam Backup and Replication (VBR) software, which could expose encrypted credentials stored in the VBR configuration to unauthorized users. The vulnerability allows attackers to gain access to the backup infrastructure hosts. Veeam fixed the issue on March 7, but an exploit was released by Horizon3 pentesting company on March 23. The exploit allows attackers to extract credentials in plain text and run code remotely with the highest privileges. Despite Veeam’s fix, there are still around 7,500 VBR hosts that are vulnerable and exposed on the internet, according to Huntress Labs.

Infected Technology

Veeam Backup Server

Source

https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-veeam-backup-servers-exposed-online/

Recommendation

• Patch software timely.
• Train employees on security best practices.
• Monitor your network for unusual activity
• Consider implementing two-factor authentication.
• Develop a backup and disaster recovery plan

CVE ID

CVE-2023-27532

New Vulnerability Exposes Thousands of Apache Superset Servers to RCE Attacks

Description

Horizon3.ai has discovered a new weakness in the Apache Superset servers named CVE-2023-27524. The research shows that approximately two-thirds of the company’s servers use this insecure default configuration. The flaw affects server instances from version 1.4.1 to 2.0.1, which use the default SECRET_KEY value, making them vulnerable to unauthorized access by hackers. Many organizations, including government institutions and universities, are affected. A successful attack can enable hackers to log in with administrator privileges, access databases, and modify or delete them. Attackers can also perform RCE on the compromised databases and the server itself, leading to sensitive data exposure and further system compromise. As the number of Superset customers grows, thousands of organizations worldwide could potentially be vulnerable to RCE attacks. To mitigate the risk, the company has released an update with version 2.1 of its product, which prevents the server from initiating if it uses the default secret key configuration. However, the patch is not foolproof as server instances installed via a docker-compose file or a helm template still use the default keys. To determine whether their Apache Superset server is using an unsafe default configuration, organizations can use the CVE-2023-27524 PoC exploit code released by Horizon3.ai on GitHub.

Infected Technology

Apache Superset Servers

Source

https://socprime.com/blog/cve-2023-27524-detection-new-vulnerability-exposes-thousands-of-apache-superset-servers-to-rce-attacks/

Recommendation

• Organizations are strongly recommended that they update their version to the latest one with the available patch or remove it.

CVE ID

CVE-2023-27524

Cisco discloses XSS zero-day flaw in server management tool

Description

Cisco has reported a zero-day vulnerability, identified as CVE-2023-20060, in their Prime Collaboration Deployment (PCD) software, which may be abused for cross-site scripting attacks. The vulnerability was identified in the web-based administration interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre (NCSC). Successful exploitation of the vulnerability allows unauthenticated attackers to remotely initiate cross-site scripting attacks, albeit it needs user input. The issue arises because the web-based administration interface fails to check user-supplied information. The vulnerability may enable the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has yet to identify any evidence of malicious usage in the wild, and no fixes are presently available to eliminate the attack vector. The business pledged to deploy security patches in May 2023.

Infected Technology

Cisco Prime Collaboration Deployment (PCD) software

Source

https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day-flaw-in-server-management-tool/

Recommendation

• Cisco pledged to issue security fix in May to address the zero-day. Until then, Cisco recommends to follow the best practices for cybersecurity.

CVE ID

CVE-2023-20060

Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Description

Cybersecurity researchers have identified a new “defense evasion tool” called AuKill, which has been used by threat actors to disable endpoint detection and response (EDR) software on target systems. The tool exploits an outdated driver in Microsoft’s Process Explorer utility, which is used to disable EDR processes before deploying backdoors or ransomware. The technique used by the attackers involves misusing a legitimate, but out-of-date, driver to gain elevated privileges and turn off security mechanisms. The attackers use valid, susceptible drivers to bypass a key Windows safeguard known as Driver Signature Enforcement. The tool requires administrative privileges to work, but the attackers take advantage of existing privileges gained through other means during attacks. AuKill has been used since the start of 2023 to deploy various ransomware strains, including Medusa Locker and LockBit, and six different versions of the malware have been identified so far.

Infected Technology

EDR software

Source

https://thehackernews.com/2023/04/ransomware-hackers-using-aukill-tool-to.html

Recommendation

• Update EDR software.
• Disable BYOVD.