CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 43: Jamuary 30 2023


Old Vulnerability Used to Attack VMware. 2

Nevada Ransomware Group. 3

Data breach at Vice Media involved SSNs, and financial info. 4

Next LockBit Color. 5














Old Vulnerability Used to Attack VMware


  • OVHcloud
    • French cloud provider
    • published a report linking this massive wave of attacks targeting VMware ESXi servers
    • first day of attacks, approximately 120 ESXi servers were encrypted.
      • Weekend 2,400 VMware ESXi devices worldwide
    • VMware
      • Confirmed the attacks
        • NOT ZER0 DAY
      • advises admins
        • install the latest updates for ESXi servers
        • disable the OpenSLP service
          • disabled by default since 2021.
        • CVE-2021-21974 (8.8/10) High
          • security flaw is caused by a heap overflow issue in the OpenSLP service
            • can be exploited by unauthenticated threat actors
            • low-complexity attacks
          • Impacted Versions
            • ESXi versions 7.x prior to ESXi70U1c-17325551
            • ESXi versions 6.7.x prior to ESXi670-202102401-SG
            • ESXi versions 6.5.x prior to ESXi650-202102101-SG
          • Patched Feb 23 2021
          • Attacks focus on ESXi hypervisors in version 6.x and prior to 6.7
        • Ransomwhere ransom payment tracking service
          • reporting only four ransom payments for a total of $88,000.
          • lack of ransom payments
            • VMware ESXi recovery guide
              • security researcher Enes Sonmez
              • rebuild machines and recover data…FREE
            • Defense
              • Well…update
              • disable the vulnerable Service Location Protocol (SLP) service
              • OpenSLP port (427) monitor



Nevada Ransomware Group


  • The Nevada Ransomware has appealing partner conditions
    • initial commission rate of 85%
  • The actors behind the ransomware have the ability to escalate their attack beyond the initial point
    • by performing post-exploitation activities for maximum damage.
  • both Windows and Linux/ESXi versions of the Nevada Ransomware
    • constantly updated.
  • On February 1, the developers behind the project improved the functionality of the ransomware
    • distributed new versions for their affiliates supporting Windows and Linux/ ESXi.
  • not only develop ransomware but also obtain unauthorized access for additional exploitation.
  • team that specializes in post-exploitation
    • working to escalate the initial point of compromise into a full network intrusion.
  • In the Windows version, files are encrypted “by stripes,”
    • which tout as a significant advantage speed
  • Written in Rust
    • the locker can be executed through a console with pre-defined flags
      • including encrypting selected files and directories
      • self-deleting
      • deleting shadow copies
      • loading hidden drives
      • self-mode encryption
      • finding and encrypting network shares.




Data breach at Vice Media involved SSNs, financial info

  • Vice Media
    • filings on January 26
  • cyberattack on its network
    • alerted in March 2022
    • hired a cybersecurity firm
      • investigate the incident
      • into an internal Vice e-mail account
    • Social Security numbers were involved in the breach
      • which affected 1,724 people.
    • delayed reporting
      • effort to figure out what personal information was involved
      • find up-to-date addresses for all victims
      • no comment on why this took a year
    • Victims are being offered 12 months of credit and identity monitoring services
    • identity restoration services through Equifax
      • plan includes $1 million in identity theft insurance.



Next LockBit Color

  • LockBit ransomware group
    • Most active threat in 2022
      • More victims than any other group
    • LockBit Red
    • LockBit Black (LockBit 3.0)
      • derived from BlackMatter’s source code.
    • LockBit Green
      • significant overlap (89%) with Conti ransomware v3
      • modified their ESXI ransomware variant.
      • ransom note is identical to the one used by the LockBit Black
        • ransom note filename has been changed to !!!-Restore-My-Files-!!!.txt.
      • uses random extensions rather than the standard .lockbit extension
    • Hacker Buy In
      • ex-Conti members will prefer LockBit Green
      • familiarity to Conti will mean less learning cur