Security
Headlines
HeadlinesLatestCVEs

Headline

Akira ransomware continues to evolve

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group’s attack chain, targeted verticals, and potential future TTPs.

TALOS
#vulnerability#web#ios#mac#windows#linux#cisco#git#intel#c++#rce#perl#vmware#auth#ssh#ssl

Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.

Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.

Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift was due in part to the developers taking time to further retool their encryptor.

During this period, we began to see Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of their ESXi encryptor, iteratively building on the payload’s functions while moving away from C++ and experimenting with different programming techniques.

Most recently, we have observed a potential shift back to previous encryption methods, in conjunction with data theft extortion tactics.

Returning to this approach leverages the reliability of tested encryption techniques, while simultaneously capitalizing on data theft for additional leverage. Pivoting to a previously effective strategy post-language reimplementation with v2 indicates a refocus on stability and efficiency in affiliate operations.

We anticipate Akira will continue refining its tactics, techniques, and procedures (TTPs), developing its attack chain, adapting to shifts in the threat landscape, and striving for greater effectiveness in its RaaS operations, targeting both Windows and Linux-based enterprise environments.

Members of our team will be delving into this prickly threat actor presenting at the upcoming MITRE ATT&CKCon 5.0 in ‘GoGo Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK’. Join us as we uncover findings about the TTPs employed by this developing threat actor, dissect their attack chain, and actionable intelligence is vital in the threat protection pipeline.

“The future is not a straight line. It is filled with many crossroads” Kiyoko

**2024 attack chain: Leveraging exposed network appliances and vulnerable systems for rapid compromise **

As Akira continuously refines its ransomware, affiliates are equally proactive in selecting and exploiting new vulnerabilities for initial access, adapting their tactics in tandem. They leverage newly disclosed CVEs, not only to breach networks but also to escalate privileges and move laterally within compromised environments. This allows them to establish a greater foothold to swiftly deploy encryption and exfiltrate victim data for extortion.

Akira ransomware operators have utilized a variety of common infection vectors to gain initial access to targeted networks, often favoring the use of compromised VPN credentials.

Most recently, Akira ransomware affiliates have been observed targeting network appliances vulnerable to CVE-2024-40766, an exploit in the SonicWall SonicOS facilitating remote code execution on the vulnerable device. Security researchers found that software on the affected systems was vulnerable to this exploit, suggesting affiliates’ swift capitalization on exposed systems.

Additional vulnerabilities leveraged by affiliates throughout 2024 include:

  • CVE-2020-3259 and CVE-2023-20263: In similar Cisco security appliance exploits leveraged in early 2024, Akira was observed abusing a flaw in Cisco Adaptive Security Appliance (ASA) with CVE-2020-3259 and CVE-2023-20263 via Firepower Threat Defense (FTD) software that allowed attackers to execute arbitrary code, after initial access was established post Cisco AnyConnect SSL VPN compromise.
  • CVE-2023-48788: Exposed and vulnerable FortiClientEMS software abuse by Akira was observed for initial access, enabling lateral movement and privilege escalation.

Once initial access is established, Akira operators utilize PowerShell scripts to conduct credential harvesting and privilege escalation, such as extracting Veeam backup credentials and dumping Kerberos authentication credentials. Additionally, we often see affiliates delete system shadow copies to obstruct file recovery via Windows Management Instrumentation (WMI): “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”.

Operators typically utilize RDP connections and lateral tool transfers to move through the network and employ a variety of defense evasion techniques, such as binary padding, matching legitimate name or location taxonomy, and disabling or modifying security tools.

In an attack targeting a Latin American airline in June 2024, RaaS operators were able to exploit key vulnerable services and deploy the ransomware payload in a manner that drastically reduced the time to exfiltrate data. Initially gaining access via Secure Shell (SSH), it was reported that the adversary obtained access to the vulnerable Veeam backup server likely via CVE-2023-27532, resulting in the access of encrypted credentials stored in the configuration database. This foothold facilitated the swift deployment of the Akira ransomware variant and exfiltration of sensitive data.

Akira ransomware affiliates have actively exploited several additional critical vulnerabilities in 2024 after achieving initial compromise, capitalizing on unpatched vulnerabilities in widely used network appliances and software to establish persistence and move laterally:

  • CVE-2023-20269: Akira affiliates were suspected of targeting this vulnerability in Cisco VPN services. The exploit leverages an unauthorized access vulnerability in the remote access VPN feature of ASA and FTD software due to a misconfiguration of improper separation of authentication, authorization, and accounting (AAA) on the device.
  • CVE-2024-37085: VMware ESXi vulnerability enabling unauthorized access to the hypervisor’s management interface, which can lead to full control over virtual machines once the adversary has established sufficient Active Directory Permissions.
  • CVE-2024-40711: Akira ransomware was recently seen deployed post exploitation of the Veeam backup and replication service by triggering “Veeam.Backup.MountService.exe” to spawn “net.exe” and create local accounts for privilege escalation and persistence.

In terms of victimology, we assess that throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors, based on our analysis of Akira’s data leak site.

**A look at the previous Akira v2 ESXi encryptor **

Akira pivoted from their traditional TTPs at the end of 2023 and developed a new Linux encryptor. In March 2024, we shared findings with intelligence partners generated from a Cisco Talos Incident Response (Talos IR) engagement, which documented the newly discovered Akira_v2 and the co-occurring deployment of the adversaries’ Megazord encryptor.

Post-encryption, we witnessed the Linux ESXi variant appended with a novel encrypted storage file extension “akiranew” dropping a ransom note in each of the directories where files were encrypted with a new nomenclature, “akiranew.txt”. We discovered two additional samples of the Akira_v2 variant (version 2024.1.30) on VirusTotal that included additional modifications to extend its command line argument capabilities, highlighting further evolution in the malware’s development.

Arguments

Description

–path <string>

Start path. Default value: /vmfs/volumes

–id <string>

Build ID

–stopvm

Stop VMs

–vmonly

Crypt only .vmdk, .vmem, .vmx, .log, .vswp, .vmsd, .vmsn files

–threads <int>

Number of threads (1-1000). Default: number of logical CPU cores

–ep <int>

Percent of crypt. Default - 15%

–fork

Work in background

–logs <string>

Print logs. Valid values for: trace, debug, error, info, warn. Default: off

–exclude <string>

Skip files by “regular” extension. Example: --exclude="startfilename(.*).(.*)" using this regular expression will skip all files starting with startfilename and having any extensions. Multiple regular expressions using “|” can also be processed: --exclude="(win10-3(.*).(.*))|(win10-4(.*).(.*))|(win10-5(.*).(.*))"

-h, --help

Show help

The original Linux encryptor was written in C++, with Akira leveraging the Crypto++ library for encryption processes, whereas the v2 Rust variant makes use of rust-crypto 0.2.36 library crate for encryption processes.

The Build ID for the v2 (version 2024.1.30) was found at offset 0x41970 for 10 bytes.

In the v2 version targeting ESXi hosts, by default, the encryptor targets the “/vmfs/volumes/” path and will navigate into subdirectories. If this path does not exist or a path is not specified, the ransomware will fail to execute.

**Akira (The Return) to old TTPs **

From our recent analysis, we suspect that Akira may be transitioning from the use of the Rust-based Akira v2 variant and returning to previous TTPs using Windows and Linux encryptors written in C++. This could be because of a potential refocus on incremental iterations with stability and reliability in their operations over innovation. The cross-platform consistency indicates the adversaries’ focus on an adaptable payload, enabling the threat actor to target multiple operating systems with minimal changes.

In early September 2024, we identified multiple new ransomware samples written in C++, where encrypted files are given the “.akira” extension and a ransom note named “akira_readme.txt” is dropped on the device, consistent with pre-August 2023 versions of the Akira ransomware group’s encryptor. These findings support our assessment of a tactical pivot, signaling a deliberate return to effective techniques, consistent with public reporting on the threat actors’ initial Linux variant.

We assess with moderate confidence that the Megazord variant, previously used by the threat actor targeting Windows environments, alongside Akira v2 for Linux, has gradually faded away, further supporting a consolidation of tooling by the adversary.

The newly observed Windows variant has been updated and appears to substitute the previously seen -remote argument for -localonly and --exclude and excludes paths, including “$Recycle.Bin” and “System Volume Information”, in the encryption process. Within the Linux variant, the –fork argument, which creates a child process for encryption, is still included along with the --exclude argument.

Analysis of the recent binaries suggests that the threat actor has pivoted to utilizing the ChaCha8 stream cipher. The ChaCha8 algorithm is faster and more efficient than the previously leveraged ChaCha20 in Akira v_2 due to the reduced number of quarter-round operations in the cipher, possibly indicating a further focus on swift encryption and exfiltration operations such as seen in recent Akira attacks.

New extensions targeted in recently observed Linux variants:

.4d

.abd

.abx

.ade

.ckp

.db

.dd

dpl

.dx

.edb

.fo

.ib

.idb

.mdn

.mud

.nv

.pdb

.sq

.te

.ud

.vdh

Both newly observed encryptor variants employ exclusion paths that ignore identical Windows directories before the encryption process, a return to previous TTPs by the adversary.

tmp

wint

temp

thumb

$Recycle.Bin

$RECYCLE.BIN

System Volume Information

Boot

Windows

Trend Micro

**
Future developments in Akira’s TTPs **

Future campaigns are likely to see Akira continuing to prioritize the exploitation of high-impact CVEs while reinforcing its double extortion model to increase ransom leverage.

The exploration of the Rust programming language in recent Linux encryptors signals the threat actor’s willingness to experiment with different coding frameworks, potentially leading to more developed and resilient ransomware variants. While the return to an earlier variant indicates a potential tactical shift from this code migration, it also demonstrates that the developers remain highly adaptable, willing to reemploy tried-and-tested techniques when necessary to ensure operational stability. Pragmatic adaptability is providing significant advantages for ransomware groups operating in a dynamic threat landscape, as it allows them to maintain a robust and reliable codebase while continually seeking new ways to evade detection and enhance functionality.

It is possible that Akira’s pivot to pure data-theft extortion at the end of 2023 and beginning of 2024 was a temporary shift during the codebase refactoring, allowing the group to maintain pressure on victims and generate revenue while developmental resources were allocated to refining the encryptor’s functionality.

We assess that Akira and its affiliates will continue prioritizing attacks against VMWare’s ESXi and Linux environments throughout 2024, echoing a broader trend observed across the ransomware landscape. Adversary targeting of these platforms is driven by their prevalence in enterprise infrastructure, hosting critical infrastructure and high-value data, and their capacity for mass encryption and disruption with minimal lateral movement. Targeting ESXi and Linux hosts allows ransomware operators to compromise multiple virtual machines and critical workloads simultaneously, maximizing operational impact while bypassing traditional endpoint security controls.

  • Virtualization is essential to large-scale deployments of cloud computing and storage resources, making ransomware attacks on ESXi hypervisors highly disruptive.
  • Encrypting the ESXi file system provides rapid, widespread data encryption, minimizing the need for extensive lateral movement and credential theft, due to the ease of encrypting a single vmdk, rather than all the files.
  • ESXi hypervisors often lack comprehensive security protection due to security department overhead, making them attractive targets for ransomware operators seeking fruitful targets.

**Recommendations **

Conduct regular vulnerability assessments and timely application of security patches to identify outdated software versions and unpatched vulnerabilities on ESXi hosts and implement a formal threat-informed patch management policy that includes a defined prioritization and schedule for routine updates and emergency patching of critical vulnerabilities.

Implement strict password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security.

Deploy a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities.

Enable secure configuration and access controls to limit access to ESXi management interfaces such as by restricting them to trusted IPs, enforcing MFA, and ensuring role-based access control (RBAC) is properly configured.

Disable unnecessary WMI access by restricting or disabling WMI access for non-administrative users, and monitor/audit WMI commands, particularly those related to shadow copy deletion.

Credential dumping prevention via implementing Windows Defender Credential Guard to protect Kerberos ticket data and prevent credential dumping from the Local Security Authority (LSA), ensuring to audit and apply necessary configuration changes to applications/plug-ins that aren’t compatible due to reliance on direct access to user credentials.

**Coverage **

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from theFirewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat:

Snort3: 300924

Snort3 Rules: 1:301007:1:0

Snort2: 63541, 63540

Snort2 Rules: 1:63976:1:0, 1:63977:1:0

ClamAV detections are also available for this threat:

Multios.Ransomware.Akira-10036536-0

Multios.Ransomware.Megazord-10021030-1

**IOCs **

Windows (The Return)

78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77

88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739

ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5

87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42

Linux (The Return)

3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30

abba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b

a546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0

6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84

43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72

8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c

bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a

3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30

Windows v1

678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33

6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc

5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5

Megazord

dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198

28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e

a6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb

b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9

c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d

95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a

e3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481

68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a

8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439

c0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6

7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be

2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83

9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c

9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065

131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07

Akira_v2:

3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75

0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c

Related news

Talos IR trends Q3 2024: Identity-based operations loom large

Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware. Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware. CVE-2024-40711, rated 9.8 out of 10.0 on the

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks. On September 24, there were no signs of this vulnerability being exploited in the wild. And on October 10, Sophos X-Ops reported that they had observed a series of attacks exploiting this vulnerability over the course of a month. The attackers’ goal was to install Akira […]

1 PoC Exploit for Critical RCE Flaw, but 2 Patches From Veeam

The first patch lets threat actors with low-level credentials still exploit the vulnerability, while the second fully resolves the flaw.

Amateurish 'CosmicBeetle' Ransomware Stings SMBs in Turkey

With an immature codebase and a "rather chaotic encryption scheme" prone to failure, the group targets small businesses with custom malware.

CosmicBeetle Deploys Custom ScRansom Ransomware, Partnering with RansomHub

The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub. "CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved," ESET researcher Jakub

Akira Ransomware Actors Exploit SonicWall Bug for RCE

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

SonicWall Urges Users to Patch Critical Firewall Flaw Amid Possible Exploitation

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible. The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10. "An improper access control vulnerability has been identified in the SonicWall SonicOS management

Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues

Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below - CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. CVE-2024-42024 (CVSS score: 9.1

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,

BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerable drivers to disarm security protections. "The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its

BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. Read the full analysis.

SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access

SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices. The vulnerability, tracked as CVE-2024-40766 (CVSS score: 9.3), has been described as an improper access control bug. "An improper access control vulnerability has been identified in the SonicWall SonicOS

Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host. "A

IR Trends: Ransomware on the rise, while technology becomes most targeted sector

Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities. Initial access to the target

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

FortiNet FortiClient EMS 7.2.2 / 7.0.10 SQL Injection / Remote Code Execution

A remote SQL injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server) versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled endpoints. The SQL injection vulnerability is due to user controller strings which can be sent directly into database queries. FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013 and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database. In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable to SQL injection. It can be used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code execution in the context of NT AUTHORITY\SYSTEM. Upgrading to either 7.2.3, 7.0.11 or above is recommended by Fo...

February 2024: Vulremi, Vuldetta, PT VM Course relaunch, PT TrendVulns digests, Ivanti, Fortinet, MSPT, Linux PW

Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]

Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion

The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands. “As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their

Ransomware review: October 2023

Categories: Threat Intelligence In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation. (Read more...) The post Ransomware review: October 2023 appeared first on Malwarebytes Labs.

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

CVE-2023-20263: Cisco Security Advisory: Cisco HyperFlex HX Data Platform Open Redirect Vulnerability

A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.

CVE-2023-20269: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability

A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote a...

New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools

Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's

Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil

CVE-2023-27532: KB4424: CVE-2023-27532

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

TALOS: Latest News

Welcome to the party, pal!