CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Website Subscribe

Episode 43: Jamuary 30 2023

January 30, 2023 Jim Guckin CyberSecurity News Byte Weekly 20:5530.25M Comments Off on Episode 43: Jamuary 30 2023

Contents

Old Vulnerability Used to Attack VMware. 2

Nevada Ransomware Group. 3

Data breach at Vice Media involved SSNs, and financial info. 4

Next LockBit Color. 5

 

 

 

Links

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

https://enes.dev/

https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot

https://therecord.media/data-breach-at-vice-media-involved-ssns-financial-info/?web_view=true

https://cyware.com/news/ransomware-landscape-2022-kela-report-ae18463b

 

 

Times

00:36

05:38

11:00

16:19

 

 

Old Vulnerability Used to Attack VMware

 

  • OVHcloud
    • French cloud provider
    • published a report linking this massive wave of attacks targeting VMware ESXi servers
    • first day of attacks, approximately 120 ESXi servers were encrypted.
      • Weekend 2,400 VMware ESXi devices worldwide
    • VMware
      • Confirmed the attacks
        • NOT ZER0 DAY
      • advises admins
        • install the latest updates for ESXi servers
        • disable the OpenSLP service
          • disabled by default since 2021.
        • CVE-2021-21974 (8.8/10) High
          • security flaw is caused by a heap overflow issue in the OpenSLP service
            • can be exploited by unauthenticated threat actors
            • low-complexity attacks
          • Impacted Versions
            • ESXi versions 7.x prior to ESXi70U1c-17325551
            • ESXi versions 6.7.x prior to ESXi670-202102401-SG
            • ESXi versions 6.5.x prior to ESXi650-202102101-SG
          • Patched Feb 23 2021
          • Attacks focus on ESXi hypervisors in version 6.x and prior to 6.7
        • Ransomwhere ransom payment tracking service
          • reporting only four ransom payments for a total of $88,000.
          • lack of ransom payments
            • VMware ESXi recovery guide
              • security researcher Enes Sonmez
              • rebuild machines and recover data…FREE
            • Defense
              • Well…update
              • disable the vulnerable Service Location Protocol (SLP) service
              • OpenSLP port (427) monitor

 

 

Nevada Ransomware Group

 

  • The Nevada Ransomware has appealing partner conditions
    • initial commission rate of 85%
  • The actors behind the ransomware have the ability to escalate their attack beyond the initial point
    • by performing post-exploitation activities for maximum damage.
  • both Windows and Linux/ESXi versions of the Nevada Ransomware
    • constantly updated.
  • On February 1, the developers behind the project improved the functionality of the ransomware
    • distributed new versions for their affiliates supporting Windows and Linux/ ESXi.
  • not only develop ransomware but also obtain unauthorized access for additional exploitation.
  • team that specializes in post-exploitation
    • working to escalate the initial point of compromise into a full network intrusion.
  • In the Windows version, files are encrypted “by stripes,”
    • which tout as a significant advantage speed
  • Written in Rust
    • the locker can be executed through a console with pre-defined flags
      • including encrypting selected files and directories
      • self-deleting
      • deleting shadow copies
      • loading hidden drives
      • self-mode encryption
      • finding and encrypting network shares.

 

 

  •  

Data breach at Vice Media involved SSNs, financial info

  • Vice Media
    • filings on January 26
  • cyberattack on its network
    • alerted in March 2022
    • hired a cybersecurity firm
      • investigate the incident
      • into an internal Vice e-mail account
    • Social Security numbers were involved in the breach
      • which affected 1,724 people.
    • delayed reporting
      • effort to figure out what personal information was involved
      • find up-to-date addresses for all victims
      • no comment on why this took a year
    • Victims are being offered 12 months of credit and identity monitoring services
    • identity restoration services through Equifax
      • plan includes $1 million in identity theft insurance.

 

 

Next LockBit Color

  • LockBit ransomware group
    • Most active threat in 2022
      • More victims than any other group
    • LockBit Red
    • LockBit Black (LockBit 3.0)
      • derived from BlackMatter’s source code.
    • LockBit Green
      • significant overlap (89%) with Conti ransomware v3
      • modified their ESXI ransomware variant.
      • ransom note is identical to the one used by the LockBit Black
        • ransom note filename has been changed to !!!-Restore-My-Files-!!!.txt.
      • uses random extensions rather than the standard .lockbit extension
    • Hacker Buy In
      • ex-Conti members will prefer LockBit Green
      • familiarity to Conti will mean less learning cur

CyberSecurity News Byte is a weekly podcast, condensing the latest cybersecurity news, in an easily digestible format. News that you need to know to keep yourself and your organization safe from today’s threats.

Facebook Twitter Instagram

© 2021-2022 All Rights Reserved. Developed By Podcrease