SANS NewsBites

Unsupported and Unpatched VMware Installs Are Enabling Ransomware; Secure Redis Servers or Risk HeadCrabs; Update OpenSSH to Avoid Compromise, Consider Donating

February 7, 2023  |  Volume XXV - Issue #11

Top of the News


2023-02-06

Ransomware Campaign Exploits Known VMware Vulnerability

Both France’s and Italy’s Computer Emergency Response Teams (CERTs) have issued alerts warning “of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.” The vulnerability (CVE-2021-21974) affects ESXi 7.0, 6.7 and 6.5. Support for ESXi 6.7 and 6.5 ended in October 2022. The flaw was disclosed, and a fix was released in February 2021.

Editor's Note

The exploited vulnerability is two years old. However, patching Hypervisors like VMware can be tricky. It is even more important to harden your hypervisor and to not expose any administrative interfaces.

Johannes Ullrich
Johannes Ullrich

The good news is that there aren’t that many vulnerable targets out there, but that is bad news if you are one of the 300+ running unsupported and/or unpatched old ESXi versions. There have been enough successful fines and lawsuits against companies running unsupportable software that you can use this as an event to brief management on to justify updating.

John Pescatore
John Pescatore

Have you considered when you're moving to ESXi 8? If you're still on ESXi 6.x you may want to jump all the way to version 8.0a. If you're running without vCenter, and procrastinating upgrading, you can boot the installer and replace your ESXi installation while preserving the volumes with your VMs, then import them. Also make sure that the SLP service is disabled if you're not using it.

Lee Neely
Lee Neely

What is troubling about this ransomware campaign is that it uses a vulnerability for which a patch was made available two years ago. So why are so many targets available to create a campaign around? It boils down to a matter of economics: it costs downtime and money to patch. We are quick to blame the IT staff for, well, incompetence. Perhaps, just perhaps it is also a business decision to not patch and unfortunately outside of their control. Now we get to measure the other part of the economics scale, the cost in recovery and clean-up.

Curtis Dukes
Curtis Dukes

2023-02-04

HeadCrab Malware Has Infected More than 1,200 Redis Servers

In a blog post, researchers from Aqua Nautilus detail their findings about malware called HeadCrab that has infected more than 1,200 Redis database servers in the past year-and-a-half. The threat actor has been using their access to the servers to mine virtual currency.

2023-02-06

OpenSSH Releases Version 9.2/9.2p1 to Fix Security Issues

OpenSSH maintainers have released an updated version of the open-source implementation of the SSH protocol to fix three security issues. OpenSSH 9.2/9.2p1 includes a fix for a pre-authentication double-free memory vulnerability that was introduced in OpenSSH 9.1.

The Rest of the Week's News


2023-02-03

Surge in Google Ad Malvertising

Spamhaus researchers say they have seen a significant surge in malvertising affecting Google Ads. The spike involved ads impersonating well-known brands, including Adobe, Microsoft Teams, Thunderbird, Slack, and Tor.

Editor's Note

This spike seems to correlate with Microsoft's blocking Office macros by default in documents from the Internet. While Google is raising the bar on advertisers, threat actors are still finding ways to slip through. Detection is tricky, and your best defense is going to be a combination of ad blockers and encouraging users to only download software from known, verified sources.

Lee Neely
Lee Neely

2023-02-06

Tallahassee Memorial Healthcare IT Systems Offline After “Security Issue”

Tallahassee (Florida) Memorial Healthcare (TMH) is diverting some Emergency Medical Services (EMS) patients to other hospitals following an “IT security issue.” The incident began late in the day on Thursday, February 2. TMH has taken its IT systems off-line as a precautionary measure and is operating under electronic health record (HER) downtime procedures.

2023-02-06

Alleged Vastaamo Hacker Arrested in France

Police in France have arrested Aleksanteri Tomminpoika Kivimäki (formerly Julius Kivimäki), a Finnish individual wanted for numerous cybercrimes. In 2020, Kivimäki allegedly leaked sensitive patient files stolen from Vastaamo Psychotherapy Center. Finnish authorities charged Kivimäki in absentia in October 2022 and issued an international warrant for his arrest.

2023-02-04

MITRE Releases Cyber Resiliency Engineering Framework Navigator

MITRE’s Cyber Resiliency Engineering Framework (CREF) Navigator, “a relational database of NIST SP 800-160 Volume 2 concepts that is searchable, visualizes resilience relationships & presents a Web UI while utilizing portable, opensource components to enable use in tools. The CREF Navigator distills tons of useful terms, tables, and relationships from the CREF/NIST SP 800-160 Volume 2 into an online tool.”

2023-02-03

Atlassian Advisory Warns of Critical Flaw in Jira Service Management Server and Data Center

Atlassian has released a security advisory warning of a critical authentication bypass issue in Jira Service Management. The vulnerability affects Jira Management Server and Jira Service Manager Data Center versions 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0. Users are urged to update to versions 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later. The vulnerability does not affect Atlassian Cloud sites.

2023-02-07

US National Science Foundation Seeking Comment on Federal Cybersecurity Research and Development Strategic Plan

The US National Science Foundation (NSF) has filed a Request for Information (RFI) seeking public comment on the 2023 Federal Cybersecurity Research and Development Strategic Plan. The plan must be updated every four years to comply with the Cybersecurity Enhancement Act of 2014. The RFI includes seven questions to consider when providing input. Comments will be accepted through March 3, 2023.

Internet Storm Center Tech Corner

Earthquake Scams

https://isc.sans.edu/diary/Earthquake+in+Turkey+and+Syria+Be+Aware+of+Possible+Donation+Scams/29518

APIs Used By Bots to Detect Public IP Addresses

https://isc.sans.edu/diary/APIs+Used+by+Bots+to+Detect+Public+IP+address/29516/

Assemblyline as a Malware Analysis Sandbox

https://isc.sans.edu/diary/Assemblyline+as+a+Malware+Analysis+Sandbox/29510

Ransomware Targeting VMware ESXi

https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/

Jira Service Management Server and Data Center Advisory CVE-2023-22501

https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html

A Novel State-of-the-Art Redis Malware

https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware

GoAnywhere MFT zero-day Exploited

https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/

OpenSSH Vulnerability Details CVE 2023-25136

https://blog.qualys.com/vulnerabilities-threat-research/2023/02/03/cve-2023-25136-pre-auth-double-free-vulnerability-in-openssh-server-9-1

OpenSSH Update

https://www.openssh.com/releasenotes.html

F5 BigIP Vulnerability CVE-2023-22374

https://my.f5.com/manage/s/article/K000130415