Search This Blog

Showing posts with label VMware. Show all posts

VMware Becomes New Target of FreakOut Malware


A new dangerous "Freakout" alias malware campaign has just targeted unpatched Linux workstations that handle Network Attached Storage (NAS) and run some PHP- and Java-listed Web application frameworks. 

FreakOut Botnet reappeared for the first time in November 2020 with a fresh range of attacks in January 2021. This malware targets the data storage units of TerraMaster and the web apps built on top of the Zend PHP framework along with the websites running the Liferay portal content management system. 

This Pythons-based multi-platform malware that has previously targeted Windows and Linux systems has been updated to make it to internet-exposed VMware vCenter servers that are unpatched against a vulnerability in remote code execution. 

This vulnerability in the VMware vCenter plug-in (CVE-2021-21972) for vRealize Operations (vROps) is very noteworthy since it affects the standard installation of the vCenter Server. As revealed by Shodan and BinaryEdge, thousands of unpatched vCenter servers are currently accessible via the Internet. 

FreakOut spreads to an IRC botnet managed by masters, exploiting a widespread variety of OS and apps vulnerabilities and demanding passwords over SSH. The key malware features allow operators to launch DDoS attacks, backdoor affected devices, network traffic sniff and steal data, and deploy XMRig miners to mine for Monero. 

"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notable vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. 

While the programmers of FreakOut are striving since early May to move a step forward in the malware spreading capabilities, when the activity of the botnet unexpectedly skyrocketed, to improve virus spreads. 

FreakOut bots scan for new systems, either by generating network ranges arbitrarily or by using the instructions of its masters which are communicated to IRC via the control server. The bot tries to use one of the integrated vulnerabilities or log in to a hard-coded list of SSH passwords for every IP address in the lists of scans. 

VMware vulnerabilities in ransomware attacks on business networks were also exploited in the past. As disclosed by Cisco Talos, FreakOut operators also showed that they have been constantly experimenting with different malicious loads using bespoke ransomware. 

"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems," Svajcer added. 

"Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems."

The VMware Carbon Black Cloud Workload Patched a Vulnerability


The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.