Black Arrow Cyber Advisory – LockBit Ransomware Now Actively Targeting VMware ESXi Hosts

Executive Summary

LockBit, a ransomware gang that first came to prominence in 2021, has made improvements to its Ransomware-as-a-Service (RaaS), advertising that it will now actively target VMware ESXi virtual machines. VMware ESXi is a highly popular virtualisation platform and is found in most business environments globally and allows for the consolidation of software servers and services onto a single physical machine, saving both space and costs. The new LockBit features include the ability to find all running Virtual Machines (VMs) and manipulate their power states to ensure they are encrypted successfully.

What’s the risk to me or my business?

Due to the popularity of ESXi, there is an increased risk to those running the platform. The changes demonstrate that RaaS operators are keenly aware that businesses present lucrative targets, actively implementing features that have the greatest potential for harm in an enterprise environment.

What can I do?

Ensure that your systems and services across your network remain up-to-date and current. Attackers will often use a combination of bugs, vulnerabilities and misconfigurations to breach an environment before going on to exploit other devices. For ESXi specifically, consider disabling Secure Shell (SSH) if enabled, and ensure the use of TLS (HTTPS) on any exposed web interfaces.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow Cyber Advisory – “PwnKit” Bug Allows Low Level Access on the Ubiquitous Linux Operating System

Executive Summary

Security researchers have revealed a new toolkit bug in the Linux operating system, the software that drives most of the world. Linux is found everywhere, from firewalls and network switches to cars and huge industrial machines. The tool, ‘pkexec’, was found to be vulnerable to privilege escalation, allowing an attacker to gain root or administrator privileges with ease.

What’s the risk to me or my business?

As Linux runs in almost every environment in the world, an attacker with access to the system could exploit the vulnerability to take control. The attack can become particularly potent when used in combination with other exploits on an unpatched system. Security researchers note the attack is ‘trivially exploitable’, leading to a dangerous situation if a system is indeed susceptible.

What can I do?

A patch has been issued for the bug, which should be implemented as soon as possible on any device that may be running Linux. It is recommended that systems in general be patched as often as practicable to reduce overall risk.

Technical Summary

Security researchers have disclosed a buffer overflow attack in Polkit, a tool allowing programs without special privileges to run safely with services requiring root. The bug exploits environment variables, allowing an attacker to use NULL references to craft the overflow. As a result a malicious user could, even on an account with minimal privileges, use the misalignment to introduce dangerous environment variables to elevate their session.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow Cyber Advisory – 20,000 HP Servers Have Their Management Interface Exposed to the Internet

Executive Summary

Integrated Lights Out (iLO) is a low-level management interface on Hewlett-Packard (HP) servers, intended for out-of-band or outside-of-operating system access. The service is most used by IT staff managing the device for remote support operations, such as powering the system off, updating firmware or viewing the display via the network. Despite a recent and serious bug dubbed ‘iLOBleed’, approximately 24,000 iLO devices are still exposed to the internet and searchable with Google.

What’s the risk to me or my business?

HP servers are very common in business settings and remain the popular choice globally. Most of these servers come with iLO pre-installed, which makes them a lucrative target to attackers when vulnerable, particularly given their low-level access. In combination with vulnerabilities like ‘iLOBleed’, remotely exposing iLO to the web presents a low hanging fruit that may be too attractive to pass up.

What can I do?

Check with your IT team or MSP to ensure that you aren’t exposing anything to the web that shouldn’t be there, even beyond iLO. Misconfigurations or services such as Universal Plug and Play (UPNP) can expose devices without your knowledge, leaving you open to attack where the exposed systems are vulnerable.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Urgent: We are receiving an increasing number of reports of email addresses ending in cwgsy.net sending phishing emails. The most likely cause of this is unauthorised access to the mailbox using credentials harvested from previous phishing emails in which the victim has unwittingly provided their credentials.

Action: Change the password on your email account as soon as possible via the Sure web portal: https://webmail.sure.com/

Here is the body of the most common phishing email we’ve seen so far

Subject: Re: Important

I am sending this message from your email box xxx@cwgsy.net for you to know i watch you and see all you do

Hi xxx@cwgsy.net

I am a programmer and a Black Hat Hacker, I had hacked your PC over 6months ago. I kept saving informations you inputted on your device and also store them such as: browsing history, screen recordings, contacts, messages and much more.

I already wanted to forget you, but recently I saw something interesting on your system device .your business transactions and financial details, I have them written down on my notepad and this is very disatrous for you.

I am ready to forget about all this and completely stop accessing your computer and emails. I guarantee I will stop accesing your PC and delete all archives with them. After that I will leave and no longer bother you, but for that I want to have $500 worth of bitcoins in my wallet. You have 48 hours after reading this email. I still control your emails and computer - and I know when you open them and read them.

Don't try to change your email password, everything is under control. Do not try to contact me and answer this letter. I sent it to you from your email address. Take a look at the sender, you will see that I have complete control over your email and your computer.

Bitcoin wallet address:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If you do not know how to buy bitcoins, you can find information on how to buy bitcoins online. If you need help, you can read several articles about it.

I look forward to your actions. If you don't need this data online and with all your friends, send $500 to my wallet ASAP. After that I will erase all data and disappear from your life.

Do not be offended by me. If you pay, nothing happens