The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

News broke in early February that the ACN, Italy’s National Cybersecurity Agency, issued a warning regarding a VMware vulnerability discovered two years ago. Many organizations hadn’t yet patched the issue and became the victims of a new ransomware called ZCryptor. The malicious software wreaked havoc on Italian and European businesses by encrypting users’ files and demanding payment for the data to be unencrypted. 

The ACN urges VMware users to ensure their systems are backed up and updated with the most recent security patches available. With ransomware on the rise, it’s crucial that businesses take the necessary steps to protect their data and applications. 

ESXiArgs ransomware attacks

Ransomware is a type of malware or malicious software that enables unauthorized users to restrict access to an organization’s files, systems, and networks. But it doesn’t stop there. In exchange for the keys to the kingdom, attackers will typically require a large sum in the form of cryptocurrency. 

There are many ways that ransomware is executed on a target system. In this case, the attacker infiltrated VMware’s ESXi hypervisor code and held entire servers for ransom. According to reports most victims were required to pay almost $50,000 USD in Bitcoin to restore access to entire business systems. 

The nature of these attacks lead experts to believe that this is not the work of ransomware gangs, and is more likely being executed by a smaller group of threat actors. But that doesn’t mean the damage was any less alarming. 

Exploiting known vulnerabilities

Hackers were able to infect over 2000 machines in only twenty-four hours on a Friday afternoon before the start of the weekend. But how were they able to work so fast?

As soon as software developers and providers publish fixes for specific vulnerabilities, threat actors are already beginning their plan of attack. Fortunately, the ESXiArgs vulnerability was patched two years ago (CVE-2021-21974.) 

Organizations that have not run this patch are at risk of becoming a victim of the latest ransomware. Unfortunately, Florida’s Supreme Court, the Georgia Institute of Technology, Rice University, and many schools across Hungary and Slovakia have also become victims of this newest ransomware attack. 

CISA guidance for affected systems

The US Cybersecurity and Infrastructure Security Agency (CISA) issued recovery guidance for the 3,800 servers around the world affected by the ESXiArgs ransomware attacks: 

Immediately update all servers to the latest VMware ESXi version. 
Disable Service Location Protocol (SLP) to harden the hypervisor.
Make sure the ESXi hypervisor is never exposed to the public internet. 

The CISA also offers a script on its GitHub page to reconstruct virtual machine metadata from unaffected virtual disks. 

What organizations can learn from this attack

It can happen to anyone. Malware and ransomware attacks are a popular way to exploit organizations and no business, big or small, is off-limits. The software development industry is now worth over a trillion dollars due to the ever-increasing demand for new applications to meet the various needs of individuals and organizations. 

The average organization uses 110 applications to keep operations running smoothly. Each application requires routine maintenance to keep systems secure, and running updates plays a major role in protecting systems from ransomware. 

Another key takeaway from this attack is to keep vital systems far away from the public internet. Any file, system, or application that touches it can easily be infiltrated by skilled hackers. And since VMware ESXi is still vulnerable, companies should not expose the interface to the world. 

How to improve patch management and avoid ransomware attacks

There are several issues that contribute to the complexity of patch management, making it difficult for companies to stay on track. For example, as the number of software services increases, so does the number of CVEs. That means more patches to manage, track, and run before attackers discover how to exploit known vulnerabilities. 

In addition to large amounts of software, there is also a large amount of data that companies have to manage. For example, companies generate dark data on an ongoing basis through ordinary business transactions. User behaviors, orchestrations, and other datasets are increasing rapidly as more organizations make data-driven decisions to boost their success. 

This amount of data is very difficult to process and inspect, leaving vulnerabilities in hiding where hackers can exploit them. Without visibility, any patching strategy will be ineffective. Complete visibility enables teams to prioritize assets and software that need to be updated. 

Here is how to overcome these common patch management issues and avoid costly ransomware attacks: 

Test every patch

Patches must be thoroughly tested before being introduced into your systems. Patching is necessary to ensure that applications stay secure and up-to-date, but it can cause issues if something goes wrong. Each patch should be tested to avoid misconfigurations and other problems that can do more harm than good. 

Apply patches ASAP

Time is not on your side when it comes to patch management. After patches have been tested, apply them as soon as possible. The faster, the better. As soon as updates are released, hackers are hard at work to exploit as many users as possible before they have a chance to run the patch. 

Phase out deprecated devices and applications

Sometimes there isn’t anything left to do but retire a program or device. When software is deprecated, there won’t be additional patches released, so there is no way to know of any new vulnerabilities. Plus, security becomes an issue with out-of-date software as it often is phased out due to security concerns. Get rid of any applications and devices that have reached the end of life.

Automate patch management

Utilize automation to streamline patch management. Keeping track of each application’s maintenance schedule and regularly testing and patching software is time-consuming. Patch management automation or partnering with a managed service provider might be the most effective way to keep applications and endpoints up to date. 

Final thoughts

Ransomware attacks are not going away anytime soon. The latest ransomware warning out of Italy is now affecting thousands of systems globally due to unpatched software that should have been updated two years ago. Businesses that might be affected by the ESXiArgs ransomware should follow CISA guidance to prevent damage and recover what data might be lost. 

The best way to prevent ransomware threats is to be proactive with running patches and updates. Test every patch to ensure that it’s safe for your systems, apply changes as soon as possible, replace deprecated software, and automate patch management for optimal efficiency and security.

Read More

Juniper Research says most of the pain will be felt in the US

Read More

The emergence of effective natural language processing tools such as ChatGPT means it’s time to begin understanding how to harden against AI-enabled cyberattacks. The natural language generation capabilities of large language models (LLMs) are a natural fit for one of cybercrime’s most important attack vectors: phishing. Phishing relies on fooling people and the ability to generate effective language and other content at scale is a major tool in the hacker’s kit.

Fortunately, there are several good ways to mitigate this growing threat. Here are seven guidelines for readiness in the age of AI-enabled phishing:

To read this article in full, please click here

Read More

The U.S. Federal Bureau of Investigation (FBI) this week arrested a New York man on suspicion of running BreachForums, a popular English-language cybercrime forum where some of the world biggest hacked databases routinely first show up for sale. The forum’s administrator “Pompompurin” has been a thorn in the side of the FBI for years, and BreachForums is widely considered a reincarnation of RaidForums, a remarkably similar crime forum that the FBI infiltrated and dismantled in 2022.

In an affidavit filed with the District Court for the Southern District of New York, FBI Special Agent John Langmire said that at around 4:30 p.m. on March 15, 2023, he led a team of law enforcement agents that made a probable cause arrest of a Conor Brian Fitzpatrick in Peekskill, NY.

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias ‘pompompurin/’ and c) he was the owner and administrator of ‘BreachForums the data breach website referenced in the Complaint,” Langmire wrote.

Pompompurin has been something of a nemesis to the FBI for several years. In November 2021, KrebsOnSecurity broke the news that thousands of fake emails about a cybercrime investigation were blasted out from the FBI’s email systems and Internet addresses.

Pompompurin took credit for that stunt, and said he was able to send the FBI email blast by exploiting a flaw in an FBI portal designed to share information with state and local law enforcement authorities. The FBI later acknowledged that a software misconfiguration allowed someone to send the fake emails.

In December, 2022, KrebsOnSecurity broke the news that hackers active on BreachForums had infiltrated the FBI’s InfraGard program, a vetted FBI program designed to build cyber and physical threat information sharing partnerships with experts in the private sector. The hackers impersonated the CEO of a major financial company, applied for InfraGard membership in the CEO’s name, and were granted admission to the community.

From there, the hackers plundered the InfraGard member database, and proceeded to sell contact information on more than 80,000 InfraGard members in an auction on BreachForums. The FBI responded by disabling the portal for some time, before ultimately forcing all InfraGard members to re-apply for membership.

More recently, BreachForums was the sales forum for data stolen from DC Health Link, a health insurance exchange based in Washington, D.C. that suffered a data breach this month. The sales thread initially said the data included the names, Social Security numbers, dates of birth, health plan and enrollee information and more on 170,000 individuals, although the official notice about the breach says 56,415 people were affected.

In April 2022, U.S. Justice Department seized the servers and domains for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. As part of that operation, the feds also charged the alleged administrator, 21-year-old Diogo Santos Coelho of Portugal, with six criminal counts.

Coelho was arrested in the United Kingdom on Jan. 31, 2022. By that time, the new BreachForums had been live for just under a week, but with a familiar look.

BreachForums remains accessible online, and from reviewing the live chat stream on the site’s home page it appears the forum’s active users are only just becoming aware that their administrator — and the site’s database — is likely now in FBI hands:

“Wait if they arrested pom then doesn’t the FBI have all of our details we’ve registered with?” asked one worried BreachForums member.

“But we all have good VPNs I guess, right…right guys?” another denizen offered.

“Like pom would most likely do a plea bargain and cooperate with the feds as much as possible,” replied another.

Fitzpatrick could not be immediately reached for comment. The FBI declined to comment for this story.

There is only one page to the criminal complaint against Fitzpatrick (PDF), which charges him with one count of conspiracy to commit access device fraud. The affidavit on his arrest is available here (PDF).

Read More

At least, it seems to be a new species.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

Most of these apps rely on clipper malware to steal the contents of the Android clipboard

Read More