Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.

ChatGPT has taken the world by storm since late November, sparking legitimate concerns about its potential to amplify the severity and complexity of the cyber-threat landscape. The generative AI tool's meteoric rise marks the latest development in an ongoing cybersecurity arms race between good and evil, where attackers and defenders alike are constantly in search of the next breakthrough AI/ML technologies that can provide a competitive edge.

This time around, however, the stakes have been raised. As a result of ChatGPT, social engineering is now officially democratized — expanding the availability of a dangerous tool that enhances a threat actor's ability to bypass stringent detection measures and cast wider nets across the hybrid attack surface.

**Casting Wide Attack Nets**

Here's why: Most social engineering campaigns are reliant upon generalized templates containing common keywords and text strings that security solutions are programmed to identify and then block. These campaigns, whether carried out via email or collaboration channels like Slack and Microsoft Teams, often take a spray-and-pray approach resulting in a low success rate.

But with generative AIs like ChatGPT, threat actors could theoretically leverage the system's Large Language Model (LLM) to stray away from universal formats, instead automating the creation of entirely unique phishing or spoofing emails with perfect grammar and natural speech patterns tailored to the individual target. This heightened level of sophistication makes any average email-borne attack appear far more credible, in turn making it far more difficult to detect and prevent recipients from clicking a hidden malware link.

However, let's be clear that ChatGPT _doesn't_ signify the death sentence for cyber defenders that some have made it out to be. Rather, it's the latest development in a continuous cycle of evolving threat actor tactics, techniques, and procedures (TTPs) that can be analyzed, addressed, and alleviated. After all, this isn't the first time we've seen generative AIs exploited for malicious intent; what separates ChatGPT from the technologies that came before it is its simplicity of use and free access. With OpenAI likely moving to subscription-based models requiring user authentication coupled with enhanced protections, defending against ChatGPT attacks will ultimately come down to one key variable: fighting fire with fire.

**Beating ChatGPT at Its Own Game**

Security operation teams must leverage their own AI-powered large language models (LLMs) to combat ChatGPT social engineering. Consider it the first _and_ last line of defense, empowering human analysts to improve detection efficiency, streamline workflows, and automate response actions. For example, an LLM integrated within the right enterprise security solution can be programmed to detect highly sophisticated social engineering templates generated by ChatGPT. Within seconds of the LLM identifying and categorizing a suspicious pattern, the solution flags it as an anomaly, notifies a human analyst with prescribed corrective actions, and then shares that threat intelligence in real-time across the organization's security ecosystem.

The benefits are the reason why the rate of AI/ML adoption across cybersecurity has accelerated in recent years. In IBM's 2022 "Cost of a Data Breach" report, companies that leveraged an AI-driven security solution alleviated attacks 28 days faster, on average, and reduced financial damages by more than $3 million. Meanwhile, 92% of those polled in Mimecast's 2022 "State of Email Security" report indicated they were already leveraging AI within their security architectures or planned on doing so in the near future. Building on that progress with a stronger commitment to leveraging AI-driven LLMs should be an immediate focus moving forward, as it's the only way to keep pace with the velocity of ChatGPT attacks.

**Iron Sharpens Iron**

The applied use of AI-driven LLMs like ChatGPT can also enhance the efficiency of black-box, gray-box, and white-box penetration testing, which all require a significant amount of time and manpower that strained IT teams lack amidst widespread labor shortages. Considering time is of the essence, LLMs offer an effective methodology for streamlining pen-testing processes — automating the identification of optimal attack vectors and network gaps without relying on previous exploit models that often become outdated as the threat landscape evolves.

For example, within a simulated environment, a "bad" LLM can generate tailored email text to test the organization's social engineering defenses. If that text bypasses detection and reaches its intended target, the data can be repurposed to train another "good" LLM on how to identify similar patterns in real-world environments. This helps to effectively inform both red and blue teams on the intricacies of combating ChatGPT with generative AI, while also providing an accurate assessment of the organization's security posture that allows analysts to bridge vulnerability gaps before adversaries capitalize on them.

**The Human Error Effect**

It's important to remember that only investing in best-of-breed solutions isn't a magic bullet to safeguard organizations from sophisticated social engineering attacks. Amidst the societal adoption of cloud-based hybrid work structures, human risk has emerged as a critical vulnerability of the modern enterprise. More than 95% of security breaches today, a majority of which are the result of social engineering attacks, involve some degree of human error. And with ChatGPT expected to increase the volume and velocity of such attacks, ensuring hybrid employees follow safe practices regardless of where they work should be considered nonnegotiable.

That reality heightens the importance of implementing user awareness training modules as a core component of their security framework — employees who receive consistent user awareness training are five times more likely to identify and avoid malicious links. However, according to a 2022 Forrester report, "Security Awareness and Training Solutions," many security leaders lack extensive understanding of how to build a culture of security awareness and revert to static, one-size-fits-all employee training to measure engagement and influence behavior. This approach is largely ineffective. For training modules to resonate, they must be scalable and personalized with entertaining content and quizzes that align with employees' areas of interest and learning styles.

Combining generative AI with well-executed user awareness training creates a robust security alliance that can enable organizations to work protected from ChatGPT. Don't worry cyber defenders, the sky isn't falling. Hope remains on the horizon.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

Legal experts say a key law should already prevent brokers from collecting and selling data that's weaponized against vulnerable people.

The letter also points to databases maintained by the British multinational RELX and the Canadian conglomerate Thomson Reuters, which, according to CUNY law professor Sarah Lamdan, author of _Data Cartels: The Companies That Control and Monopolize Our Information_, contain dossiers on roughly two-thirds of the US population, tracing their whereabouts and mapping social and familial relationships. 

In 2020 alone, data brokers extracted some $29 million while vying to undermine legislative efforts to rein in their industry, according to lobbying disclosures unearthed by The Markup. 

While many major data collectors acknowledge falling under the jurisdiction of the FCRA, others have evaded regulatory scrutiny by relying on what the lawyers petitioning Chopra deem erroneous legal analysis. Other firms partition their products and the surveillant data they gather to exempt from compliance what the credit reporting industry calls “header information,” traditionally consisting of people’s names, birth dates, and Social Security numbers, in addition to phone and residential histories. This, even when that data is derived from sources clearly subject to the law. 

“Data brokers are packaging the same personal data points about us into different products for sale and then claiming that certain products are beyond the reach of key legal protections,” says Laura Rivera, an attorney with Just Futures Law. “It’s dishonest, exploitative, and it leads to real harm to consumers of all backgrounds, but especially low-income communities of color, including immigrants.”

“In advocating for coverage of data brokers, we're simply asking the CFPB to restore the scope of the Act as Congress originally intended,” adds Chi Chi Wu, a staff attorney at the National Consumer Law Center, who identified a series of constricting court rulings over the years with watering the FCRA down. 

Historically disadvantaged communities face the brunt of the harm, Wu says, pointing to the sale of information on some of America’s poorest communities to predatory “payday” lenders. In fact, data brokers derive significant profit from businesses whose whole purpose is identifying consumers who face financial instability. A 2013 US Senate report noted, for example, that these purchases were often made by companies that “sell high-cost loans and other financially risky products”—unscrupulous businesses making bread and butter out of the economically vulnerable, including widows. 

Companies playing fast and loose with personal data have drawn the ire of consumer protectionists and Capitol Hill privacy hawks for years, leading to meager gains for consumers. In 2021, a slew of utility companies that had long pilfered cable, phone, and energy customers of sensitive data for their own profit agreed to end the practice of selling it to Thomas Reuters, which had, in turn, supplied it to government agencies and police, including US Immigration and Customs Enforcement. 

“Selling personal information that people provide to sign up for power, water, and other necessities of life, and giving them no choice in the matter, is an egregious abuse of consumers’ privacy,” Senator Ron Wyden, a Democrat of Oregon and leading government-surveillance critic, said in a letter to Chopra at the time. 

The US’s Defense Intelligence Agency, Defense Counterintelligence and Security Agency, and Customs and Border Protection (CBP) are among a wide range of federal agencies known to purchase Americans' private data, including that which law enforcement agencies would normally require probable cause to obtain. The US Supreme Court ruled in 2018 that police and intelligence agencies had no right to compel businesses to turn over location data derived from cellphones and other devices without a legal warrant. 

The decision did little to stop the government from sidestepping the courts. The Justice Department, the Office of the Director of National Intelligence, the Pentagon, and hundreds if not thousands of state and local police agencies have interpreted the ruling as having placed no restrictions on their ability to simply buy location data.

How the US Can Stop Data Brokers' Worst Practices—Right Now

A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine.
Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as Nodaria, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.
"The malware is written in Go and is designed to harvest a wide

Threat Intelligence / Data Safety

A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine.

Dubbed **Graphiron** by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as **Nodaria**, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.

"The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files," the Symantec Threat Hunter Team said in a report shared with The Hacker News.

Nodaria was first spotlighted by CERT-UA in January 2022, calling attention to the adversary's use of SaintBot and OutSteel malware in spear-phishing attacks targeting government entities.

The group, which is said to be active since at least April 2021, has since repeatedly deployed custom backdoors such as GraphSteel and GrimPlant in various campaigns since Russia's military invasion of Ukraine. Select intrusions have also entailed the delivery of Cobalt Strike Beacon for post-exploitation.

Graphiron, the latest program added to the group's arsenal, is an improved version of GraphSteel, packing in features to run shell commands and harvest system information, files, credentials, screenshots, and SSH keys.

Another notable aspect is that while GraphSteel and GrimPlant made use of Go version 1.16, Graphiron relies on version 1.18, which officially shipped in March 2022. This also suggests that Graphiron is a more recent development.

Furthermore, an analysis of the infection chains reveals the presence of two stages, a downloader that's responsible for retrieving an encrypted payload containing the Graphiron malware from a remote server.

With the latest findings, Nodaria joins another Russian state-sponsored group referred to as Gamaredon in extensively singling out Ukraine.

"While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group's high-level activity over the past year suggests that it is now one of the key players in Russia's ongoing cyber campaigns against Ukraine," Symantec said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Using Graphiron Malware to Steal Data from Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos.
The mass phishing campaign has been attributed to a threat actor it tracks as UAC-0050, with the agency describing the activity as likely motivated by espionage given the toolset employed.
The

Threat Intelligence / Cyber War

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos.

The mass phishing campaign has been attributed to a threat actor it tracks as **UAC-0050**, with the agency describing the activity as likely motivated by espionage given the toolset employed.

The bogus emails that kick-start the infection sequence claim to be from Ukrainian telecom company Ukrtelecom and come bearing a decoy RAR archive. Of the two files present in the file, one is a password-protected RAR archive that's over 600MB and the other is a text file containing the password to open the RAR file.

Embedded within the second RAR archive is an executable that leads to the installation of the Remcos remote access software, granting the attacker full access to commandeer compromised computers.

Remcos, short for remote control and surveillance software, is offered by Breaking Security either for free or as a premium version that costs anywhere between €58 and €945.

The Italian company calls it a "lightweight, fast and highly customizable Remote Administration Tool with a wide array of functionalities."

The latest CERT-UA advisory comes as the State Cyber Protection Centre (SCPC) of Ukraine pointed fingers at a Russian state-sponsored threat actor known as Gamaredon for its targeted assaults aimed at public authorities and critical information infrastructure.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CERT-UA Alerts Ukrainian State Authorities of Remcos Software-Fueled Cyber Attacks

Biden’s speech proves that protecting personal info is no longer a fringe issue. Now, Congress just needs to do something about it.

The European Union’s General Data Protection Regulation, enacted in 2018, provides far-from-perfect data privacy protection, but it stands in stark contrast to the legislative dearth in the United States, where there are no comprehensive federal data privacy laws on the books. In his second State of the Union address, though, US President Joe Biden devoted more attention than ever to the need for such a measure. 

With political control of the US Congress now split, Biden asserted that a data privacy law could garner bipartisan support. It's an idea that has been gaining traction in recent years, and the mention of data privacy issues in Tuesday’s State of the Union sets a precedent that the topic should be of real concern to US presidents and the public.

“We must finally hold social media companies accountable for experimenting they’re doing \[on\] children for profit,” Biden said during his speech, garnering a standing ovation from members of both parties. “It’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on our kids and teenagers online. Ban targeted advertising to children and impose stricter limits on the personal data that companies collect on all of us.”

Previous US presidents rarely mentioned data privacy in the State of the Union. Former president Donald Trump never mentioned the topic in any of his annual addresses. Former president Barack Obama mentioned the topic only once during the 2014 State of the Union, following revelations about the previously undisclosed scale and scope of the National Security Agency’s bulk surveillance programs. He said then: “Working with this Congress, I will reform our surveillance programs—because the vital work of our intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated.”

In his first State of the Union, in 2022, Biden talked about data privacy as it pertains to protecting children. “It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children,” he said at the time. 

Biden’s remarks this year went further, signaling a shift in mainstream understanding about the urgency of improving data privacy protection in the US. Whether the step will lead to productive action in 2023, though, is less clear. In his remarks, Biden called for cooperation among lawmakers—a dynamic lacking in both chambers on Capitol Hill. “To my Republican friends, if we could work together in the last Congress, there is no reason we can’t work together and find consensus on important things in this Congress as well,” he said. 

All parts of the US political spectrum would likely agree that the previous Congress was not exactly a shining example of a high-functioning, collaborative legislative branch. By including a mention of data privacy in the State of the Union, Biden is adding extra pressure on his administration and lawmakers to deliver on an issue that affects everyone.

Biden’s SOTU: Data Privacy Is Now a Must-Hit US State of the Union Topic

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

**Description**

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax\_save\_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this function and perform actions intended for administrators such as modifying the folder structure maintained by the plugin.

**References**

*   plugins.trac.wordpress.org
*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

wicked-folders (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 2.18.17, or a newer patched version

Affected Version

*   <= 2.18.16

Patched Version

*   2.18.17

All the threat data shared in this database is powered by **Wordfence Intelligence**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence Community Edition WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2023-0718: Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder — Wordfence Intelligence Community Edition

For the moment, victims can decrypt data without paying a ransom. But Clop is a ransomware variant that has caused havoc on Windows systems, so that's bound to change.

A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.

The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.

**Faulty Encryption**

Researchers from SentinelOne's SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.

SentinelOne's analysis showed Clop's Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows' versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.

Significantly, SentinelOne's researchers found the encryption logic in the Linux variant to be flawed. "The issue boils down to a couple of key differences between the Windows and Linux variants," says Antonis Terefos, threat intelligence researcher at SentinelOne.

The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. "The flaw allows for the simple extraction or discovery of what the RC4 'master key' is for a given sample," he notes, adding that SentinelOne has released a free decryptor for the variant.

The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.

**Other Differences Between Windows & Linux Clop Versions**

SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: "Therefore, there is no need to 'exclude' unwanted locations."

The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.

**Mounting Attacker Interest in Linux Malware**

Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, "we are seeing many more ransomware groups targeting Linux systems."

The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.

Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore. 

"Linux and cloud devices offer a rich pool of potential victims," Terefos says. "In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks."

The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. "We've seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups."

Fresh, Buggy Clop Ransomware Variant Targets Linux Systems

Lazarus Group used a known Zimbra bug to steal data from medical and energy researchers.

A recent round of compromises that exploited unpatched Zimbra devices was an effort sponsored by the North Korean government and intended to steal intelligence from a collection of public and private medical and energy sector researchers.

Analysts with W Labs explained in a new report that due to an overlap in techniques — and thanks to a misstep by one of the threat actors — they were able to attribute "with high confidence" the recent round of cyber incidents against unpatched Zimbra devices as the work of Lazarus Group, a well-known threat group sponsored by the North Korean government. Lazarus operated this campaign and other similar intelligence-gathering efforts through the end of 2022.

The researchers named the campaign "No Pineapple" after an error message generated by the malware during their investigation. The threat actors quietly exfiltrated about 100GB of data, without waging any disruptive cyber operations or destroying information.

"The campaign targeted public and private sector research organizations, the medical research, and energy sector as well as their supply chain," the W Labs report added. "The motivation of the campaign is assessed to be most likely for intelligence benefit."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DPRK Using Unpatched Zimbra Devices to Spy on Researchers

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

**Unpatched Systems Again in the Crosshairs**

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable**.**

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

**Virtualization Is Inherently a Risk**

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

**How to Protect VMware Systems When You Can't Patch**

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS2) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

WordPress Metform Elementor Contact Form Builder plugin versions 3.1.2 and below suffer from a persistent cross site scripting vulnerability.

    Affected Plugin: Metform Elementor Contact Form BuilderPlugin Slug: metformAffected Versions: <= 3.1.2CVE ID: CVE-2023-0084CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NResearcher/s: Mohammed El Amin, Chemouri Fully Patched Version: 3.2.0The Metform Elementor Contact Form Builder plugin allows site builders to create highly functional contact forms. Unfortunately, vulnerable versions of the Metform plugin fail to escape submitted form entries when displaying them in the admin panel.This meant that any site visitor could fill out a contact form with malicious JavaScript, and that the script would execute in the browser of any administrator viewing that form entry.While sanitizing input may also have helped, escaping output is much more important for preventing Cross-Site Scripting as bypasses are far less common.The patched version updated the format_form_data function to escape the output form data in order to address this issue.An attacker able to execute JavaScript in the browser of an administrator can use it to take over a website via several methods, including by adding a new malicious administrator or injecting a backdoor into a plugin or theme on the site.Unauthenticated Stored Cross-Site Scripting vulnerabilities are the most dangerous variant of Cross-Site Scripting for WordPress sites as they are much easier for attackers to automatically exploit en masse without needing an existing user account.TimelineJanuary 4, 2023 - Mohammed Chemouri responsibly discloses the vulnerability to the plugin vendor and our Vulnerability Disclosure program.January 8, 2023 - A patched version of the Metform plugin, 3.2.0, is made available.February 3, 2023 - The Wordfence Threat Intelligence team discovers a potential bypass of the existing Cross-Site Scripting rule and releases an additional firewall rule to Wordfence Premium, Care, and Response sites.March 5, 2023 - The firewall rule becomes available to Wordfence free users.ConclusionIn today’s post we detailed an unauthenticated stored Cross-Site Scripting vulnerability in the Metform plugin discovered and responsibly disclosed by independent security researcher Mohammed Chemouri. The Wordfence firewall’s built-in Cross-Site Scripting protection should provide coverage for all Wordfence users including those using Wordfence free.While we did find a potential bypass and deploy an additional rule to coverit, we have not seen this vulnerability exploited at a large scale in the wild, and have not seen any instances of the bypass being exploited. Nonetheless, we strongly recommend updating to the latest version of the Metform Elementor Contact Form Builder plugin, which is 3.2.1 at the time of this writing.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Metform Elementor Contact Form Builder as soon as possible.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

Tag

#intel