vmware | Breaking Cybersecurity News | The Hacker News

The threat actors behind the  8Base ransomware  are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks. The findings come from Cisco Talos, which has recorded an increase in activity carried out by the cybercriminals. "Most of the group's Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an exhaustive  two-part   analysis  published Friday. "This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process' memory." 8Base came into sharp focus in mid-2023, when a similar spike in activity was observed by the cybersecurity community. It's said to be active at least since March 2022. A  previous analysis  from VMware Carbon Black in June 2023 identified parallels between 8Base and Ranso

VMware is warning of a critical and unpatched security flaw in Cloud Director that could be exploited by a malicious actor to get around authentication protections. Tracked as  CVE-2023-34060  (CVSS score: 9.8), the vulnerability impacts instances that have been upgraded to version 10.5 from an older version. "On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)," the company  said  in an alert. "This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present." The virtualization services company further noted that the impact is due to the fact that it utilizes a version of sssd from the underlying Photon OS that is affected by  CVE-2023-34060 . Dustin Hartle from IT solutions provider Idea

Wing Security recently announced that basic third-party risk assessment is  now available as a free product . But it raises the questions of how SaaS is connected to third-party risk management (TPRM) and what companies should do to ensure a proper SaaS-TPRM process is in place. In this article we will share 5 tips to manage the third-party risks associated with SaaS, but first...  What exactly is Third-Party Risk Management in SaaS? SaaS is rapidly growing, offering businesses convenience, swift implementations, and valuable opportunities. However, this growth introduces a security challenge where risks arise from the interconnected nature of SaaS supply chains. It is clear that before onboarding a new contractor or vendor, we need due diligence, security checks, and referrals. However, we now understand that in the SaaS domain, applications are, in fact, the go-to vendor of choice.  Let's explain: Any employee can very easily connect SaaS vendors to company data, granting them pe

As many as 34 unique vulnerable Windows Driver Model ( WDM ) and Windows Driver Frameworks ( WDF ) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems. "By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black,  said . The  research  expands on previous studies, such as  ScrewedDrivers  and  POPKORN  that utilized  symbolic execution  for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O. The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys ( CVE-2023-20598 ), RadHwMgr.sys, rtif.sys, rtport.sys, s

VMware has released security updates to address a critical flaw in the vCenter Server that could result in remote code execution on affected systems. The issue, tracked as  CVE-2023-34048  (CVSS score: 9.8), has been described as an out-of-bounds write vulnerability in the implementation of the  DCE/RPC protocol . "A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution," VMware  said  in an advisory published today. Credited with discovering and reporting the flaw is Grigory Dorodnov of Trend Micro Zero Day Initiative. VMware said that there are no workarounds to mitigate the shortcoming and that security updates have been made available in the following versions of the software - VMware vCenter Server 8.0 (8.0U1d or 8.0U2) VMware vCenter Server 7.0 (7.0U3o) VMware Cloud Foundation 5.x and 4.x Given the criticality of the flaw and the lack of temporary mitigations, the virtualization

Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs. Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution. "An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution," VMware  noted  in an advisory on October 19, 2023. James Horseman from Horizon3.ai and the Randori Attack Team have been credited with discovering and reporting the flaw. Horizon3.ai has since made available a  PoC for the vulnerability , prompting VMware to revise its advisory this week. It's worth noting that CVE-2023-34051 is a patch bypass for a  set of critical flaws  that were addressed by VMware earlier this January that could expose users to remote code execution attacks. &

Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight). The flaw, tracked as  CVE-2023-34039 , is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," VMware said earlier this week. Summoning Team's Sina Kheirkhah, who published the PoC following an analysis of the patch released by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file. "There is SSH authentication in place; however, VMware forgot to regenerate th

VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," the company  said  in an advisory. ProjectDiscovery researchers Harsh Jaiswal and Rahul Maini have been credited with discovering and reporting the issue. The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution. Credited

A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023. "The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle  said  in a report shared with The Hacker News. "8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries." 8Base, according to statistics gathered by  Malwarebytes  and  NCC Group , has been linked to 67 attacks as of May 2023, with about 50% of the victims  operating  in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil. With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active sinc

VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as  CVE-2023-20887 , could  allow  a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware Aria Operations Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023. Now according to an update shared by the virtualization services provider on June 20, 2023, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown as yet. "VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company  noted . Data gathered by threat intelligence firm GreyNoise  shows  active exploitation of the flaw from two different IP addresses located in the Netherl

The Chinese state-sponsored group known as  UNC3886  has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as  CVE-2023-20867  (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant  said . UNC3886 was  initially documented  by the Google-owned threat intelligence firm in September 2022 as a cyber espionage actor infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE. Earlier this March, the group was  linked  to the exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system to deploy implants on the network appliances and interact with the aforementioned malware. The threat actor has been described as a

VMware has  released  security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as  CVE-2023-20887  (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution. Also patched by VMware is another  deserialization vulnerability  ( CVE-2023-20888 ) that's rated 9.1 out of a maximum of 10 on the CVSS scoring system. "A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution," the company said in an advisory. The third security defect is a high-severity information disclosure bug ( CVE-2023-20889 , CVSS score: 8.8) that could permit an actor with network access to perform a command injection attack and obtain

A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle  said . Active since at least 2017, TrueBot is linked to a group known as Silence that's believed to share overlaps with the notorious Russian cybercrime actor known as  Evil Corp . Recent  TrueBot infections  have leveraged a critical flaw in Netwrix Auditor ( CVE-2022-31199 , CVSS score: 9.8) as well as  Raspberry Robin  as delivery vectors. The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named " update.exe " from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update. Once run, update.exe establishes connections with a k

An analysis of the Linux variant of a new ransomware strain called BlackSuit has covered significant similarities with another ransomware family called  Royal . Trend Micro, which examined an x64 VMware ESXi version targeting Linux machines, said it identified an "extremely high degree of similarity" between Royal and BlackSuit. "In fact, they're nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files," Trend Micro researchers  noted . A comparison of the Windows artifacts has identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff. BlackSuit  first came to light  in early  May 2023  when Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts. In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a c

A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and  VMware ESXi systems  as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News. "This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software," the company said. "In fact, VMware goes as far as to claim it's not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries." The  targeting of VMware ESXi hypervisors  with ransomware to scale such campaigns is a technique known as  hypervisor jackpotting . Over the years, the approach has been adopted by several ransomware groups, including Royal. What's more

Multiple threat actors have capitalized on the leak of Babuk (aka Babak or Babyk) ransomware code in September 2021 to build as many as nine different ransomware families capable of targeting VMware ESXi systems. "These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption," SentinelOne security researcher Alex Delamotte  said  in a report shared with The Hacker News. "Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program." A number of  cybercrime groups , both big and small, have set their sights on ESXi hypervisors. What's more, at least three different ransomware strains –  Cylance ,  Rorschach  (aka BabLock), and  RTM Locker  – that have emerged since the start of the year are based on the leaked Babuk source code. SentinelOne's latest analysis shows that this phenomenon is more common, with the cybersecurity company identifyi

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company  said . Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine. Both vulnerabilities were  demonstrated  by researchers from STAR Labs on the third day of the Pwn2O

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw  in Cisco Industrial Network Director  (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when  uploading a Device Pack . "A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device," Cisco  said  in an advisory released on April 19, 2023. The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information. Patches have been made available in  version 1.11.3 , with Cisco crediting an unnamed

The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet  FortiOS  operating system has been linked to a suspected Chinese hacking group. American cybersecurity company Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886 , describing it as a China-nexus threat actor. "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers  said  in a technical analysis. "UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-da

VMware on Tuesday released patches to address a critical security vulnerability affecting its Carbon Black App Control product. Tracked as  CVE-2023-20858 , the shortcoming carries a CVSS score of 9.1 out of a maximum of 10 and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. The virtualization services provider describes the issue as an injection vulnerability. Security researcher Jari Jääskelä has been credited with discovering and reporting the bug. "A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," the company  said  in an advisory. VMware said there are no workarounds that resolve the flaw, necessitating that customers update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate potential risks. It's worth pointing out that Jääskelä was also credited with reporting two critical vulnerabilities in the same product ( CVE-2022-229