Zimbra urged admins today to manually fix a zero-day vulnerability actively exploited to target and compromise Zimbra Collaboration Suite (ZCS) email servers. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
Zimbra urged admins today to manually fix a zero-day vulnerability actively exploited to target and compromise Zimbra Collaboration Suite (ZCS) email servers. […] Read More
BleepingComputer
Targetcompany Ransomware Group Employs Linux Variant To Attack Esxi Environments
The notorious TargetCompany ransomware group introduced a new Linux variant targeting VMware ESXi environments.
This evolution in their tactics underscores the increasing sophistication of ransomware attacks and the growing threat to critical virtualized infrastructure.
Discovered in June 2021, the TargetCompany ransomware, tracked by Trend Micro as “Water Gatpanapun” and known on its leak site as “Mallox,” has been actively targeting organizations in Taiwan, India, Thailand, and South Korea.
The group has continuously refined its techniques for bypassing security defenses, including using PowerShell scripts to circumvent the Antimalware Scan Interface (AMSI) and fully undetectable (FUD) obfuscator packers.
Recently, Trend Micro’s threat-hunting team identified a new variant of TargetCompany ransomware targeting Linux environments.
This variant employs a shell script for payload delivery and execution, marking a departure from previous versions.
The shift to Linux aligns with a broader trend of ransomware groups extending their attacks to critical Linux environments, thereby increasing their potential victim pool.
The Linux variant checks for administrative rights before executing its malicious routine, ensuring it can operate with the necessary permissions.
Upon execution, it drops a text file named TargetInfo.txt containing victim information, which is then sent to a command-and-control (C&C) server.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This behavior mirrors that of the ransomware’s Windows variant.
Checking if the program is executed as superuser or root
Dropped “TargetInfo.txt” file
The ransomware group has expanded its targets to include virtualization servers, specifically VMware ESXi environments.
By encrypting critical ESXi servers, the attackers aim to cause significant operational disruption and increase the likelihood of ransom payments.
The binary checks if the machine is running in a VMware ESXi environment by executing the command “uname” and looking for the system name “vmkernel.”
After encrypting files, the ransomware appends the extension “.locked” and drops a ransom note named HOW TO DECRYPT.txt.
This is a change from the usual extension and ransom note file name used in its Windows variant.
Appended “.locked” extension on encrypted files
The ransomware payload is delivered and executed using a custom shell script.
This script checks for the existence of the TargetInfo.txt file and terminates if found. It then attempts to download the payload using “wget” or “curl,” makes it executable, and runs it in the background.
The script also exfiltrates data to a different server, providing redundancy in case a server goes offline or is compromised.
Custom shell script for delivery and execution of payload
The IP address used to deliver the payload and exfiltrate victim information is hosted by China Mobile Communications, which indicates that it may have been rented for malicious purposes.
The certificate for this IP address is valid for only three months, suggesting short-term use. The ransomware is associated with an affiliate called “vampire,” indicating broader campaigns with high ransom demands.
Homepage of the URL used to host the ransomware payload
The emergence of TargetCompany’s new Linux variant highlights the ongoing evolution of ransomware tactics and the increasing threat to critical virtualized infrastructure.
Organizations must remain vigilant and implement robust cybersecurity measures to mitigate the risk of ransomware attacks.
Best practices include enabling multifactor authentication (MFA), adhering to the 3-2-1 backup rule, and regularly patching and updating systems.
Hashes
HashDetectionDescriptiondffa99b9fe6e7d3e19afba38c9f7ec739581f656Ransom.Linux.TARGETCOMP.YXEEQTTargetCompany Linux Variant2b82b463dab61cd3d7765492d7b4a529b4618e57 Trojan.SH.TARGETCOMP.THEAGBDShell Script9779aa8eb4c6f9eb809ebf4646867b0ed38c97e1Ransom.Win64.TARGETCOMP.YXECMTTargetCompany samples related to affiliate vampire 3642996044cd85381b19f28a9ab6763e2bab653cRansom.Win64.TARGETCOMP.YXECFTTargetCompany samples related to affiliate vampire 4cdee339e038f5fc32dde8432dc3630afd4df8a2Ransom.Win32.TARGETCOMP.SMYXCLAZTargetCompany samples related to affiliate vampire 0f6bea3ff11bb56c2daf4c5f5c5b2f1afd3d5098Ransom.Win32.TARGETCOMP.SMYXCLAZTargetCompany samples related to affiliate vampire
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post Targetcompany Ransomware Group Employs Linux Variant To Attack Esxi Environments appeared first on Cyber Security News.
Zoom Security Flaws let Attackers Escalate Privileges
Zoom has released security patches for 6 high and 1 low severity vulnerabilities, allowing threat actors to escalate privileges and disclose sensitive information.
The CVSS Score of these vulnerabilities ranges between 3.3 (low) and 8.4 (High).
TitleCVE IDSeverityImproper Access ControlCVE-2023-36538HighImproper Privilege ManagementCVE-2023-36537HighUntrusted Search PathCVE-2023-36536HighInsecure Temporary FileCVE-2023-34119HighImproper Privilege ManagementCVE-2023-34118HighRelative Path TraversalCVE-2023-34117LowImproper Input ValidationCVE-2023-34116High
This vulnerability exists due to improper access control on Zoom rooms in Zoom versions lower than 5.15.0, allowing an authenticated user to escalate privileges via local access.
This vulnerability exists due to an untrusted search path in the installer of Zoom rooms prior to version 5.15.0 which allows an authenticated user to escalate privileges via local access.
This vulnerability exists due to an insecure file on the installer of Zoom rooms versions prior to 5.15.0, allowing an authenticated user to escalate privileges via local access.
This vulnerability exists due to improper input validation in Zoom Desktop for Windows versions prior to 5.15.0, allowing an authenticated user to escalate privileges via local access.
The vulnerabilities are discovered and reported to Zoom by sim0nsecurity.
The above-mentioned are four of the highest-severity vulnerabilities that have been fixed by Zoom and necessary patches have been released.
For more information on the patches, Zoom has released a security advisory for these vulnerabilities. Users are recommended to upgrade their Zoom versions to fix these vulnerabilities.
The post Zoom Security Flaws let Attackers Escalate Privileges appeared first on Cyber Security News.
Cyber Security News