AndrewShadid.com

by: Jessica Lyons Hardcastle

February 24, 2021 1:50 PM

VMware fixed several bugs including a critical remote code execution vulnerability that affects vCenter Server management software and, if exploited, would allow hackers to execute arbitrary commands on the server and gain access to sensitive data.

Remote code execution vulnerabilities pose especially critical security threats to organizations, and VMware’s stronghold in data centers worldwide gives patching these flaws particular urgency.

“VMware is monitoring the situation, and we are not aware of any reports of active exploitation,” a company spokesperson said in an email to SDxCentral.

VMware vCenter RCE Bug

According to Positive Technologies, more than 6,000 VMware vCenter devices worldwide are accessible from the internet and contain the most critical vulnerability, CVE-2021-21972, which received a Common Vulnerability Scoring System score of 9.8 out of 10. About a quarter of these devices (26%) are located in the U.S.

Positive Technologies’ threat researcher Mikhail Klyuchnikov discovered the bug in the vSphere Client functionality. The main threat comes from insiders who have penetrated the protection of the network perimeter using other methods such as social engineering or web vulnerabilities, or who have access to the internal network using previously installed backdoors.

“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” Klyuchnikov said in a statement. “The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.”

This would allow the attacker to move through the corporate network and gain access to the data stored in the attacked system, such as information about virtual machines and system users, Klyuchnikov explained. “If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data,” he said. “Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.”

Earlier this month, Positive Technologies’ Egor Dimitrenko discovered a different high-severity vulnerability in the VMware vSphere Replication data replication tool.

ESXi Hypervisor Vulnerability

The second vulnerability, (CVE-2021-21974), received an “important” severity CVSS score of 8.8. Trend Micro’s zero day threat researcher Lucas Leong found this flaw in the ESXi hypervisor and Cloud Foundation software stacks running that hypervisor. It’s a heap-overflow vulnerability, which attackers can exploit by corrupting data in specific ways to cause the application to overwrite internal structures.

This means an attacker in the same network segment as ESXi with access to port 427 could trigger the heap-overflow issue in OpenSLP service, thus resulting in remote code execution, according to the VMware security disclosure.

And finally, a server side request forgery (SSRF) vulnerability (CVE-2021-21973) also discovered by Klyuchnikov in a vCenter Server plugin, received a CVSS score of 5.3, or “moderate.” An attacker with network access could exploit this flaw by sending a POST request to vCenter Server plugin, which could lead to information disclosure.

by: Keumars Afifi-Sabet1 Mar 2021

The ‘Carbon Spider’ and ‘Sprite Spider’ gangs have compromised vCenter credentials to attack enterprise systems

Two ransomware strains have retooled to exploit vulnerabilities in the VMware ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).

The company patched three critical flaws across its virtualisation products last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.

Researchers with CrowdStrike have since learned that two groups, known as ‘Carbon Spider’ and ‘Sprite Spider’, have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale ransomware campaigns also known as big game hunting (BGH).

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a “virtual jackpot” for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.

This follows news that cyber criminals last week were actively scanning for vulnerable businesses with unpatched VMware vCenter servers, only days after VMware issued fixes for the three flaws.

“By deploying ransomware on ESXi, Sprite Spider and Carbon Spider likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,” said CrowdStrike researchers Eric Loui and Sergei Frankoff. 

“Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.”

Sprite Spider has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files. 

Carbon Spider, meanwhile, has traditionally targeted companies operating point-of-sale (POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices. 

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host’s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware.

“In line with VMware’s commitment to responsible disclosure, we issued a public security advisory with a fix and workaround for a security issue that was privately reported to us in order to help our customers stay safe,” a VMware spokesperson told IT Pro. 

“As a matter of best practice, VMware always encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration.”