Unsupported and Unpatched VMware Installs Are Enabling Ransomware; Secure Redis Servers or Risk HeadCrabs; Update OpenSSH to Avoid Compromise, Consider Donating

The exploited vulnerability is two years old. However, patching Hypervisors like VMware can be tricky. It is even more important to harden your hypervisor and to not expose any administrative interfaces.

The good news is that there aren’t that many vulnerable targets out there, but that is bad news if you are one of the 300+ running unsupported and/or unpatched old ESXi versions. There have been enough successful fines and lawsuits against companies running unsupportable software that you can use this as an event to brief management on to justify updating.

Have you considered when you're moving to ESXi 8? If you're still on ESXi 6.x you may want to jump all the way to version 8.0a. If you're running without vCenter, and procrastinating upgrading, you can boot the installer and replace your ESXi installation while preserving the volumes with your VMs, then import them. Also make sure that the SLP service is disabled if you're not using it.

What is troubling about this ransomware campaign is that it uses a vulnerability for which a patch was made available two years ago. So why are so many targets available to create a campaign around? It boils down to a matter of economics: it costs downtime and money to patch. We are quick to blame the IT staff for, well, incompetence. Perhaps, just perhaps it is also a business decision to not patch and unfortunately outside of their control. Now we get to measure the other part of the economics scale, the cost in recovery and clean-up.

Optimized databases like Redis are sometimes "protected" by the limited functionality they offer. However, here the attacker figured out that they are able to upload extension modules to the database adding the missing functionality. I have seen similar attacks against MySQL before.

I can't imagine a newscaster saying HeadCrab malware with a straight face. HeadCrab is a monster from the game HalfLife, which attaches itself to humans and turns them into zombies. This malware takes advantage of trust relationships, such as SLAVEOF, between Redis servers to load and transfer modules which add C&C commands to the targeted server. Make sure you've secured your Redis installations; don't expose them directly to the Internet, enable protected mode for cloud installations, bind the instance to a specific address to limit communication to trusted hosts and disable the slaveof feature if not actively used.

Hmm, maybe a new trend: naming malware after disgusting body conditions that you want to rid yourself of very quickly. Would WannaCry have been dealt with more quickly if it had been called HeadLice?

One of the vulnerabilities may allow remote code execution pre-authentication. It will likely be difficult to exploit, but you should patch as updates become available for your operating system.

If you use OpenSSH, or OpenBSD, the OpenBSD accepts donations to improve the quality and security of the code - https://www.openbsdfoundation.org/

Check your distributions before panicking here, targeting environments running 9.1, e.g., Debian bookworm, the successor to 11.6 "bullseye". Odds are you're on older OpenSSH versions and going to be deploying the latest SSH packages to mitigate any risks. As John suggests, consider contributing to these guys: we all use the heck out of their code, and this is an easy way to support continued improvements and ongoing development/support.

With the prior attack on Atlantic General in Maryland, this is the first time in a year or so that multiple hospitals have been forced into downtime due to cyber-attacks. If you think your hospital is impacted, check their web site to verify which services are available, don't rely on third-party interpretation of impacts. Ask yourself, if you and your industry peers were impacted at the same time, how could you benefit from collaboration, then pick up the phone and call them to discuss further.

The scourge that is ransomware, err ‘IT security issue,’ continues to affect the healthcare sector globally. TMH is to be applauded for: 1) proactively managing patient intake; and, 2) having and executing its cyber response plan. One aspect for the After Action Report (AAR) is understanding how the security issue began in order to make adjustments to their patch management process and enterprise architecture.

The use of electronic health records by hospitals should not put patients at risk. Applications must be more robust and procedures should be in place to practice medicine even when EHR systems fail.

Over the past two years, nations have banded together to concentrate law enforcement activities in the pursuit of cybercriminals. We’ve seen examples against currency exchanges where cybercriminals launder their ill-gotten gains. Here’s an example in reducing, or better yet, eliminating where cybercriminals can operate or vacation. Don’t forget though, more work still needs to be done to make enterprises resilient against ransomware attack.

This guy has been at it since he was a teenager, and was convicted of over 50,000 cybercrimes, yet as he was a minor, given a 2-year suspended sentence with a fine of 6,558 Euros. As he is now an adult, and the prior conviction didn't seem to quelch his desire to commit malfeasance, expect them to throw the book at him. Expect changes in leniency towards minors convicted of cybercrimes.

It’s good that NSF is seeking public comment on the 2023 Cybersecurity R&D plan. The seven questions posed in the request for information are both reasonable and balanced. That said, and while the RFI is not the right vehicle, NSF should also publish its scorecard on performance against the 2019 plan. What has been the impact over the previous four years from taxpayer investment in cybersecurity R&D?

The plan is looking at current topics and will be used to drive/fund cyber security research and education as well as the development of consensus-based standards; including six priority areas: artificial intelligence, quantum information science, trustworthy distributed digital infrastructure, privacy, secure hardware and software as well as education and workforce development.