The Week In Ransomware – February 3rd 2023 – Ending With A Mess
While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers. The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs. The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign. What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

READ MORE

TruthFinder, Instant Checkmate Confirm Data Breach Affecting 20M Customers
PeopleConnect, the owners of the TruthFinder and Instant Checkmate background check services, confirmed they suffered a data breach after hackers leaked a 2019 backup database containing the info of millions of customers. TruthFinder and Instant Checkmate are subscription-based services allowing customers to perform background checks on other people. When conducting background checks, the sites will use publicly scraped data, federal, state, and court records, criminal records, social media, and other sources.

READ MORE

Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.

READ MORE

Atlassian Warns Of Critical Jira Service Management Auth Flaw
A critical vulnerability in Atlassian’s Jira Service Management Server and Data Center could allow an unauthenticated attacker to impersonate other users and gain remote access to the systems. Atlassian explains that the security issue affects versions 5.3.0 through 5.5.0 and that hackers can get “access to a Jira Service Management instance under certain circumstances.”

READ MORE

Google Ads Push ‘Virtualized’ Malware Made For Antivirus Evasion
An ongoing Google ads malvertising campaign is spreading malware installers that leverage KoiVM virtualization technology to evade detection when installing the Formbook data stealer. KoiVM is a plugin for ConfuserEx .NET protector that obfuscates a program’s opcodes so that the virtual machine only understands them. Then, when launched, the virtual machine translates the opcodes back to their original form so that the application can be executed.

READ MORE

Hackers Weaponize Microsoft Visual Studio Add-ins To Push Malware
Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as a method to achieve persistence and execute code on a target machine via malicious Office add-ins. The technique is an alternative to sneaking into documents VBA macros that fetch malware from an external source. Since Microsoft announced it would block the execution of VBA and XL4 macros in Office by default, threat actors moved to archives (.ZIP, .ISO) and .LNK shortcut files to distribute their malware. However, using VSTO introduces an attack vector that allows building .NET-based malware and embedding it into the Office add-in.

READ MORE

New High-Severity Vulnerabilities Discovered In Cisco IOx And F5 BIG-IP Products
F5 has warned of a high-severity flaw impacting BIG-IP appliances that could lead to denial-of-service (DoS) or arbitrary code execution. “A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code,” the company said in an advisory. “In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary.” Tracked as CVE-2023-22374 (CVSS score: 7.5/8.5), security researcher Ron Bowes of Rapid7 has been credited with discovering and reporting the flaw on December 6, 2022.

READ MORE

PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions
A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. “PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (Automatic Transfer System), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks,” researchers Francesco Iubatti and Alessandro Strino said.

READ MORE

New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an “elusive and severe threat” dubbed HeadCrab since early September 2021. “This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers,” Aqua security researcher Asaf Eitani said in a Wednesday report. A significant concentration of infections has been recorded in China, Malaysia, India, Germany, the U.K., and the U.S. to date. The origins of the threat actor are presently unknown.

READ MORE

New SH1MMER Exploit For Chromebook Unenrolls Managed ChromeOS Devices
A new exploit has been devised to “unenroll” enterprise- or school-managed Chromebooks from administrative control. Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, including the features that are available to users. “Each enrolled device complies with the policies you set until you wipe or deprovision it,” Google states in its documentation

READ MORE