vmware | Breaking Cybersecurity News | The Hacker News

An analysis of the Linux variant of a new ransomware strain called BlackSuit has covered significant similarities with another ransomware family called  Royal . Trend Micro, which examined an x64 VMware ESXi version targeting Linux machines, said it identified an "extremely high degree of similarity" between Royal and BlackSuit. "In fact, they're nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files," Trend Micro researchers  noted . A comparison of the Windows artifacts has identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff. BlackSuit  first came to light  in early  May 2023  when Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts. In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a c

A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and  VMware ESXi systems  as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News. "This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software," the company said. "In fact, VMware goes as far as to claim it's not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries." The  targeting of VMware ESXi hypervisors  with ransomware to scale such campaigns is a technique known as  hypervisor jackpotting . Over the years, the approach has been adopted by several ransomware groups, including Royal. What's more

Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

Multiple threat actors have capitalized on the leak of Babuk (aka Babak or Babyk) ransomware code in September 2021 to build as many as nine different ransomware families capable of targeting VMware ESXi systems. "These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption," SentinelOne security researcher Alex Delamotte  said  in a report shared with The Hacker News. "Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program." A number of  cybercrime groups , both big and small, have set their sights on ESXi hypervisors. What's more, at least three different ransomware strains –  Cylance ,  Rorschach  (aka BabLock), and  RTM Locker  – that have emerged since the start of the year are based on the leaked Babuk source code. SentinelOne's latest analysis shows that this phenomenon is more common, with the cybersecurity company identifyi

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company  said . Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine. Both vulnerabilities were  demonstrated  by researchers from STAR Labs on the third day of the Pwn2O

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw  in Cisco Industrial Network Director  (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when  uploading a Device Pack . "A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device," Cisco  said  in an advisory released on April 19, 2023. The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information. Patches have been made available in  version 1.11.3 , with Cisco crediting an unnamed

The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet  FortiOS  operating system has been linked to a suspected Chinese hacking group. American cybersecurity company Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886 , describing it as a China-nexus threat actor. "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers  said  in a technical analysis. "UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-da

VMware on Tuesday released patches to address a critical security vulnerability affecting its Carbon Black App Control product. Tracked as  CVE-2023-20858 , the shortcoming carries a CVSS score of 9.1 out of a maximum of 10 and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. The virtualization services provider describes the issue as an injection vulnerability. Security researcher Jari Jääskelä has been credited with discovering and reporting the bug. "A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," the company  said  in an advisory. VMware said there are no workarounds that resolve the flaw, necessitating that customers update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate potential risks. It's worth pointing out that Jääskelä was also credited with reporting two critical vulnerabilities in the same product ( CVE-2022-229

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an  ongoing ransomware attack spree  worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)," the virtualization services provider  said . The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and  disable the OpenSLP service  in ESXi. "In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default," VMware added. The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a  large-scale   ransomware campaign  dubbed ESXiArgs by likely exploiting a two-year-old bug VMware p

VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France  said  in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an  OpenSLP  heap-overflow vulnerability that could lead to the execution of arbitrary code. "A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution," the virtualization services provider  noted . French cloud services provider OVHcloud  said  the attacks are being detected globally with a specific focus on Europe. It's being suspected that the intrusions are related to a new Rust-based ransomware strain called Nevada that emerged

VMware on Tuesday released software to remediate four security vulnerabilities affecting  vRealize Log Insight  (aka Aria Operations for Logs) that could expose users to remote code execution attacks. Two of the flaws are critical, carrying a severity rating of 9.8 out of a maximum of 10, the virtualization services provider noted in its first security bulletin for 2023. Tracked as CVE-2022-31706 and CVE-2022-31704, the directory traversal and broken access control issues could be exploited by a threat actor to achieve remote code execution irrespective of the difference in the attack pathway. "An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," the company  said  of the two shortcomings. A third vulnerability relates to a deserialization flaw (CVE-2022-31710, CVSS score: 7.5) that could be weaponized by an unauthenticated attacker to trigger a denial-of-service (DoS) conditi

VMware has patched five security flaws affecting its  Workspace ONE Assist  solution, some of which could be exploited to bypass authentication and obtain elevated permissions. Topping the list are three critical vulnerabilities tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All the shortcomings are rated 9.8 on the CVSS vulnerability scoring system. CVE-2022-31685 is an authentication bypass flaw that could be abused by an attacker with network access to VMware Workspace ONE Assist to obtain administrative access without the need to authenticate to the application. CVE-2022-31686 has been described by the virtualization services provider as a "broken authentication method" vulnerability, and CVE-2022-31687 as a "Broken Access Control" flaw. "A malicious actor with network access may be able to obtain administrative access without the need to authenticate to the application," VMware  said  in an advisory for CVE-2022-31686 and CVE-202

VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product. Tracked as CVE-2021-39144, the issue has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and relates to a remote code execution vulnerability via XStream open source library. "Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance," the company  said  in an advisory. In light of the severity of the flaw and its relatively low bar for exploitation, the Palo Alto-based virtualization services provider has also made available a  patch  for end-of-life products. Also addressed by VMware as part of the update is CVE-2022-31678 (CVSS score: 5.3), an XML External Entity ( XXE ) vulnerability that could be exploited to result in a denial-of-service (DoS) condition or unauthorized info

A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin  said  in a Thursday report. The issue, tracked as CVE-2022-22954 (CVSS score: 9.8), concerns a remote code execution vulnerability that stems from a case of server-side template injection. Although the shortcoming was addressed by the virtualization services provider in April 2022, it has since come under active exploitation in the wild. Fortinet said it observed in August 2022 attacks that sought to weaponize the flaw to deploy the  Mirai botnet  on Linux devices as well as the RAR1Ransom and  GuardMiner , a variant of the XMRig Monero miner. The Mirai sample is retrieved fr

Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware. Emotet  is the work of a threat actor tracked as Mummy Spider (aka TA542), emerging in June 2014 as a banking trojan before morphing into an all-purpose loader in 2016 that's capable of delivering second-stage payloads such as ransomware. While the botnet's infrastructure was  taken down  as part of a coordinated law enforcement operation in January 2021, Emotet bounced back in November 2021 through another malware known as  TrickBot . Emotet's resurrection, orchestrated by the now-defunct Conti team, has since paved the way for Cobalt Strike infections and, more recently, ransomware attacks involving  Quantum and BlackCat . "The ongoing adaptation of Emotet's execution chain is one reason the malware has been successful for so long," researchers from VMwa

Threat actors have been found deploying never-before-seen post-compromise implants in VMware's virtualization software to seize control of infected systems and evade detection. Google's Mandiant threat intelligence division referred to it as a "novel malware ecosystem" that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the  hypervisor  as well as execute arbitrary commands. The  hyperjacking attacks , per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles ( VIBs ) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors. "It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware," Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhaus

Virtualization services provider VMware on Tuesday shipped updates to  address 10 security flaws  affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. The most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative rights. Also resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access. Elsewhere, it has also remediated a reflec

A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.  According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the  Log4Shell vulnerability  against an unpatched VMware Horizon Server. "Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike," researchers Julio Dantas, James Haughom, and Julien Reisdorffer  said . LockBit 3.0 (aka LockBit Black), which comes with the tagline "Make Ransomware Great Again!," is the  next iteration  of the prolific  LockBit RaaS family  that emerged in June 2022 to iron out  critical weaknesses  discovered in its predecessor. It's notable for insti

VMware has issued patches to contain  two security flaws  impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication. CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the "root" user on vulnerable virtual appliances. "It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," VMware  said . The disclosure follows a  warning  from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 — two other VMware flaws t

Cloud computing and virtualization technology firm VMWare on Thursday rolled out an update to resolve a critical security flaw in its Cloud Director product that could be weaponized to launch remote code execution attacks. The issue, assigned the identifier  CVE-2022-22966 , has a CVSS score of 9.1 out of a maximum of 10. VMware credited security researcher Jari Jääskelä with reporting the flaw. "An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server," VMware  said  in an advisory. VMware Cloud Director, formerly known as vCloud Director, is used by many well-known cloud providers to operate and manage their cloud infrastructures and gain visibility into datacenters across sites and geographies. The vulnerability could, in other words, end up allowing attackers to gain access to sensitive data and take over private clou

A week after VMware released patches to remediate eight security vulnerabilities in VMware Workspace ONE Access, threat actors have begun to actively exploit one of the critical flaws in the wild. Tracked as  CVE-2022-22954 , the security shortcoming relates to a remote code execution vulnerability that stems from server-side template injection in VMware Workspace ONE Access and Identity Manager. The bug is rated 9.8 in severity. "A malicious actor with network access can trigger a server-side  template injection  that may result in remote code execution," the company  noted  in its advisory. The virtualization services provider has since revised its bulletin to warn customers of confirmed exploitation of CVE-2022-22954 occurring in the wild. Cybersecurity firm Bad Packets also  corroborated  that it detected attempts to weaponize the vulnerability. Source:  Bad Packets It's worth noting that the patches shipped last week address seven more vulnerabilities in VMwar