Exploitation of VMware ESXi Vulnerability by Ransomware Gangs
Ransomware groups are actively exploiting a vulnerability in VMware ESXi, tracked as CVE-2024-37085, to gain administrative control over domain-joined hypervisors. Discovered by Microsoft researchers and patched in ESXi 8.0 U3, this medium-severity flaw allows attackers with sufficient Active Directory (AD) permissions to create an “ESX Admins” group. This group, once recreated, grants full admin privileges on the ESXi host, facilitating unauthorized access. Despite requiring high-level privileges and user interaction, several ransomware operators, including those linked to Black Basta and Akira, have used this vulnerability to steal sensitive data, move laterally within networks, and encrypt critical systems. The recent trend highlights a shift towards targeting ESXi virtual machines due to their role in hosting essential applications and data, causing significant operational disruptions when compromised. The rise in incidents involving ESXi hypervisors underscores the growing threat to virtualized environments.
Black Basta Ransomware Adopts Advanced Evasive Tactics
The Black Basta ransomware gang has demonstrated resilience and adaptability by incorporating custom tools and sophisticated tactics to evade detection and proliferate within networks. Active since April 2022, Black Basta has executed over 500 successful attacks globally. Utilizing a double-extortion strategy, the gang combines data theft with encryption, demanding multimillion-dollar ransoms. Following the disruption of their initial access partner, the QBot botnet, by law enforcement, Black Basta formed new alliances to maintain their breach capabilities.
Tracked by Mandiant as UNC4393, the group has developed new malware, showcasing their evolution. Notable breaches this year include Veolia North America, Hyundai Motor Europe, and Keytronic. Post-QBot, they pivoted to distributing DarkGate and SilentNight malware via malvertising. Their shift from public tools to custom malware, like DawnCry and PortYard, illustrates their growing sophistication. Additional custom tools include CogScan, SystemBC, KnockTrock, and KnowTrap, highlighting their continuous threat to global cybersecurity.
Dark Angels Ransomware Scores Record $75 Million Payment
The Dark Angels ransomware gang achieved a milestone with a $75 million ransom payment from a Fortune 50 company, as reported by Zscaler ThreatLabz. This sum, confirmed by Chainalysis, surpasses the previous record of $40 million paid by CNA after an Evil Corp attack. The targeted company, unnamed but noted as a Fortune 50 entity, was attacked in early 2024. Speculation points to pharmaceutical giant Cencora, which faced a cyberattack in February 2024, though no confirmation has been received.
Dark Angels, operational since May 2022, breaches networks, steals data, and deploys their ransomware variant upon gaining administrative access. Initially using Babuk-based encryptors, the gang later adopted a Linux encryptor, akin to Ragnar Locker’s tool. They use a data leak site, ‘Dunghill Leaks,’ for extortion. The group’s “Big Game Hunting” strategy focuses on fewer, high-value targets for larger payouts, a trend increasingly popular among ransomware operators.
Microsoft Confirms Massive Azure Outage Caused by DDoS Attack
Microsoft has confirmed that a nine-hour outage on Tuesday, affecting multiple Microsoft 365 and Azure services globally, was the result of a distributed denial-of-service (DDoS) attack. The disruption impacted services such as Microsoft Entra, Intune, Power BI, Azure App Services, and the Azure portal.
According to a mitigation statement, the DDoS attack triggered Microsoft’s protection mechanisms, but an error in their implementation exacerbated the outage instead of mitigating it. Microsoft responded by making network configuration changes and rerouting traffic to alleviate the issue.
Initially attributed to an “unexpected usage spike,” the outage saw Azure Front Door and Azure Content Delivery Network components underperforming, causing errors and latency. Microsoft plans to release a Preliminary Post-Incident Review within 72 hours and a detailed Final Post-Incident Review within two weeks.
This incident follows previous DDoS attacks, including one by Anonymous Sudan in June 2023, and adds to a series of significant outages impacting Microsoft services over the past two years.
World-Leading Silver Producer Fresnillo Discloses Cyberattack
Fresnillo PLC, the world’s largest silver producer and a leading producer of gold, copper, and zinc, has disclosed a cyberattack resulting in unauthorized access to its IT systems and data. In a filing with the London Stock Exchange on Tuesday, the mining giant reported the breach but assured that its operations remain unaffected and no significant financial or material impact is expected.
Upon detecting the breach, Fresnillo implemented response measures and engaged external forensic experts to investigate and assess the incident’s impact. The company emphasized its commitment to cybersecurity and ongoing efforts to resolve the situation.
Fresnillo operates eight mines in Mexico and holds mining concessions and exploration projects in Mexico, Peru, and Chile. Despite the cyberattack, all business units continue their activities without disruption. The company’s proactive approach aims to mitigate any potential risks and ensure business continuity.
This incident follows similar breaches in the mining sector, highlighting the growing cybersecurity threats faced by major industry players.
Sitting Ducks DNS Attacks Hijack Over 35,000 Domains
Hackers have hijacked more than 35,000 domains through Sitting Ducks attacks, exploiting registrar configuration flaws and weak ownership verification by DNS providers. These attacks allow criminals to claim domains without access to the owner’s account, leveraging misconfigured DNS settings.
Infoblox and Eclypsium researchers found over a million domains vulnerable to such attacks daily. Despite being identified in 2016, this method remains a simpler alternative to other domain hijacking techniques.
Key conditions include using different providers for registration and DNS services, lame delegation (incomplete DNS record resolution), and lax domain claiming processes by DNS providers. Russian cybercriminal groups have used these tactics for spam, scams, malware, and phishing.
GoDaddy is among the affected, with ongoing vulnerabilities at several DNS providers. Infoblox and Eclypsium have tracked these attacks since 2018, with domains hijacked for short to extended periods.
Domain owners should regularly update DNS configurations, and registrars need proactive checks and alerts. Regulators must enforce stricter DNS security standards to prevent such attacks.
Hackers Breach ISP to Poison Software Updates with Malware
The Chinese hacking group StormBamboo compromised an unnamed internet service provider (ISP) to inject malware into automatic software updates. Active since 2012, StormBamboo, also known as Evasive Panda, Daggerfly, and StormCloud, targets organizations in China, Hong Kong, Macao, Nigeria, and Southeast and East Asia.
Volexity researchers revealed that StormBamboo exploited insecure HTTP update mechanisms to deploy malware on Windows and macOS devices. The adversary intercepted DNS requests, redirecting them to malicious IP addresses and delivering malware from their command-and-control servers.
For example, they compromised 5KPlayer’s update requests to install a backdoored version. Once infected, systems had a malicious Chrome extension, ReloadText, installed to steal cookies and mail data.
Volexity noted that StormBamboo targeted multiple software vendors using insecure update processes. The ISP, in collaboration with Volexity, rebooted network components to stop the DNS poisoning. This attack follows similar tactics observed in 2023 and 2024 against NGOs and organizations.
Surge in Magniber Ransomware Attacks Impact Home Users Worldwide
A new Magniber ransomware campaign is encrypting home users’ devices globally, demanding ransoms starting at $1,000. Active since 2017, Magniber spreads through Windows zero-days, fake updates, and trojanized software cracks.
Recent infections have surged, with nearly 720 cases reported since July 20. Victims report encryption after running software cracks. The ransomware appends random extensions to files and leaves a READ_ME.htm ransom note with payment instructions. Ransoms increase to $5,000 if not paid within three days.
No free decryption is available for current versions. Users are advised to avoid illegal software cracks to prevent infection. Affected individuals can seek help on dedicated support forums.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.