VMWARE

Cybercriminals Target Linux-based Systems With Ransomware and Cryptojacking Attacks

VMware | February 09, 2022

As the most common cloud operating system, Linux is a core part of digital infrastructure and is quickly becoming an attacker’s ticket into a multi-cloud environment. Current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks that target Linux-based workloads.

VMware, Inc. released a threat report titled “Exposing Malware in Linux-based Multi-Cloud Environments.” Key findings that detail how cybercriminals are using malware to target Linux-based operating systems include:

  • Ransomware is evolving to target Linux host images used to spin workloads in virtualized environments;
  • 89 percent of cryptojacking attacks use XMRig-related libraries; and
  • More than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly.


Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible. Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”

Giovanni Vigna, senior director of threat intelligence at VMware

As malware targeting Linux-based operating systems increases in both volume and complexity amid a rapidly changing threat landscape, organizations must place a greater priority on threat detection. In this report, the VMware Threat Analysis Unit (TAU) analyzed the threats to Linux-based operating systems in multi-cloud environments: ransomware, cryptominers, and remote access tools.

Ransomware Targets the Cloud to Inflict Maximum Damage
As one of the leading breach causes for organizations, a successful ransomware attack on a cloud environment can have devastating consequences.(2) Ransomware attacks against cloud deployments are targeted, and are often combined with data exfiltration, implementing a double-extortion scheme that improves the odds of success. A new development shows that ransomware is evolving to target Linux host images used to spin workloads in virtualized environments. Attackers are now looking for the most valuable assets in cloud environments to inflict the maximum amount of damage to the target. Examples include the Defray777 ransomware family, which encrypted host images on ESXi servers, and the DarkSide ransomware family, which crippled Colonial Pipeline’s networks and caused a nationwide gasoline shortage in the U.S.

Cryptojacking Attacks Use XMRig to Mine Monero
Cybercriminals looking for an instant monetary reward often target cryptocurrencies using one of two approaches. Cybercriminals either include wallet-stealing functionality in malware or they monetize stolen CPU cycles to successfully mine cryptocurrencies in an attack called cryptojacking. Most cryptojacking attacks focus on mining the Monero currency (or XMR) and VMware TAU discovered that 89 percent of cryptominers used XMRig-related libraries. For this reason, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of malicious cryptomining behavior. VMware TAU also observed that defense evasion is the most commonly used technique by cryptominers. Unfortunately, because cryptojacking attacks do not completely disrupt the operations of cloud environments like ransomware, they are much more difficult to detect.

Cobalt Strike Is Attackers’ Remote Access Tool of Choice
In order to gain control and persist within an environment, attackers look to install an implant on a compromised system that gives them partial control of the machine. Malware, webshells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access. One of the primary implants used by attackers is Cobalt Strike, a commercial penetration testing and red team tool, and its recent variant of Linux-based Vermilion Strike. Since Cobalt Strike is such a ubiquitous threat on Windows, the expansion out to the Linux-based operating system demonstrates the desire of threat actors to use readily available tools that target as many platforms as possible.

VMware TAU discovered more than 14,000 active Cobalt Strike Team Servers on the Internet between February 2020 and November 2021. The total percentage of cracked and leaked Cobalt Strike customer IDs is 56 percent, meaning that more than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly. The fact that RATs like Cobalt Strike and Vermilion Strike have become a commodity tool for cybercriminals poses a significant threat to enterprises.

“Since we conducted our analysis, even more ransomware families were observed gravitating to malware targeting Linux-based systems, with the potential for additional attacks that could leverage the Log4j vulnerabilities,” said Brian Baskin, manager of threat research at VMware. “The findings in this report can be used to better understand the nature of this malware and mitigate the growing threat that ransomware, cryptomining, and RATs have on multi-cloud environments. As attacks targeting the cloud continue to evolve, organizations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface.”


Methodology
The VMware Threat Analysis Unit (TAU) helps protect customers from cyberattacks through innovation and world-class research. TAU is composed of malware analysts, reverse engineers, threat hunters, data scientists, and intelligence analysts at VMware. To understand how to detect and prevent attacks that bypass traditional, file-centric, prevention strategies, TAU focuses on techniques that were once the domain of advanced hackers and are now moving downstream into the commodity attack market. The team leverages real-time big data, event streaming processing, static, dynamic and behavioral analytics, and machine learning.

TAU applied a composition of static and dynamic techniques to characterize various families of malware observed on Linux-based systems based on a curated dataset of metadata associated with Linux binaries. All the samples in this dataset are public and therefore they can be easily accessed using VirusTotal or various websites of major Linux distributions. TAU collected more than 11,000 benign samples from several Linux distributions, namely, Ubuntu, Debian, Mint, Fedora, CentOS, and Kali. TAU then collected a dataset of samples for two classes of threats, namely ransomware and cryptominers. Finally, TAU collected a dataset of malicious ELF binaries from VirusTotal that were used as a test malicious dataset. TAU started collecting the dataset in June 2021 and concluded in November 2021.

About VMware
VMware is a leading provider of multi-cloud services for all apps, enabling digital innovation with enterprise control. As a trusted foundation to accelerate innovation, VMware software gives businesses the flexibility and choice they need to build the future. Headquartered in Palo Alto, California, VMware is committed to building a better future through the company’s 2030 Agenda.

Spotlight

When enterprises rely on hardware network, they can count on a few persistent problems that impact line of business, productivity and more.


Other News
SERVER VIRTUALIZATION

Leading Danish Service Provider Nuuday Selects Netcracker as a Strategic Partner for Major IT Transformation Program

Netcracker Technology | June 29, 2022

Netcracker Technology and Nuuday announced today that Nuuday, the largest telecom service provider in Denmark, has selected Netcracker as its strategic partner for the largest IT transformation program in the Nordic region. Netcracker’s cloud-native, microservices-based Digital BSS/OSS portfolio and Professional Services will serve as the cornerstone of the project to help the service provider eliminate legacy solutions, quickly launch new services and create superior digital customer journeys. The transformation program will support all of Nuuday’s lines of business, including broadband, TV, mobile and B2B services. Nuuday will also leverage Netcracker Managed Services for the solution, which will be hosted in the public cloud. “We are now making the largest IT investment in our company history with the purpose of replacing complex systems and re-engineering our commercial and operational processes to make life easier for our customers,” said Jon James, CEO of Nuuday. “We want to accelerate our pace of innovation and transform Nuuday into one of the most digital and advanced telcos in Europe.” “Netcracker is thrilled to partner with Nuuday through this strategic initiative to modernize its BSS and OSS systems,” said Benedetto Spaziani, GM at Netcracker. “Netcracker is making its mark in the Nordics, and we are excited for the opportunity to help realize Nuuday’s vision to become best in class.” “In Netcracker, we have found the perfect partner with a solid delivery record and previous success with large IT transformation projects, Together with Netcracker, we will apply a best-of-suite approach and build a new modern IT stack that will allow Nuuday to concentrate on customers, channel management and product innovation.” Monika Gullin, CTO of Nuuday About Netcracker Technology Netcracker Technology, a wholly owned subsidiary of NEC Corporation, offers mission-critical digital transformation solutions to service providers around the globe. Our comprehensive portfolio of software solutions and professional services enables large-scale digital transformations, unlocking the opportunities of the cloud, virtualization and the changing mobile ecosystem. With an unbroken service delivery track record of more than 25 years, our unique combination of technology, people and expertise helps companies transform their networks and enable better experiences for their customers. About Nuuday Nuuday is a united family of strong and well-known brands with the shared purpose of making sense with technology. Our family consists of YouSee, Telmore, Hiper, Blockbuster, TDC Erhverv, NetDesign, YouTV, eesy and Relatel, and together we represent the TV, broadband, network, telephony and entertainment of the future. We deliver innovative digital services to most Danish households and businesses across cross-functional teams, 33 nationalities and more than 3,800 unique colleagues. As Denmark’s leading digital service provider, we aspire to use technology to create a more meaningful future for our customers and society.

Read More

CLOUD

SeekGene Increases Efficiency by 500% by Leveraging MemVerge Memory Machine in the Cloud

SeekGene | May 13, 2022

MemVerge™, the pioneers of Big Memory software, today announced that SeekGene, a biotechnology research firm focusing on single-cell technology, has significantly reduced processing time and cost for data intensive single-cell analysis tasks using MemVerge Memory Machine running on AliCloud i4p compute instances. As a result, SeekGene is seeing a five-fold increase in output per virtual machine (VM) in its analytical operations. In particular, the data loading and exporting performance of its single cell sequencing pipeline has improved by two orders of magnitude, and it has doubled the sample size of the dataset used in the analyses. SeekGene is a biotechnology enterprise focusing on single-cell technology that supports clinical diagnosis and development of precision medicine. The medical biopharmaceutical organization owns an exclusive microporous chip and water-in-oil dual technology platform and performs independent research and development of high throughput single-cell products, experiments, and full-chain services for bioinformatics analysis. SeekGene's SeekOne NGS single-cell library platform, the SeekGene Online automated online data analysis platform, and its proprietary droplet method and micropore method dual platform sequencing capabilities provide data analysis for international scientific researchers. The sequencing services are deployed on AliCloud. However, because analytical processes use expression data as high as hundreds of thousands of reads, sequencing analysis can fail on traditional VM instances due to insufficient memory. In addition, the export and loading process of temporary data on disk during sequencing tasks can also be extremely lengthy. Using MemVerge Memory Machine Cloud Edition software running on AliCloud i4p VM instances, which feature Intel Optane persistent memory (PMem), SeekGene is now able to use large memory resources with no change to its code. This allows SeekGene to double its sample size and enables up to five times more concurrent processes to run. Further, with MemVerge Memory Machine Cloud Edition, SeekGene is able to improve data loading and exporting performance by two orders of magnitude by eliminating the I/O bottleneck that is caused by disk reads and writes. Specifically: On a traditional VM instance which uses NVMe SSD to save temporary data, it takes over 15 minutes to store the dataset. By employing MemVerge Memory Machine snapshot technology, saving the data takes only 2.5 seconds. When compared to AliCloud ESC.g5, the previous AliCloud VM instance used by SeekGene, the AliCloud ECS.i4p, together with MemVerge Memory Machine technology, enables SeekGene to run five concurrent tasks, each with twice the size of the original dataset. "Using MemVerge Memory Machine, we are able to employ large memory resources in the cloud without refactoring our code, and eliminate the delay caused by storage I/O otherwise required in our pipelines," said Xingyong Ma, Co-founder and Chief Scientist of SeekGene. "As a result, we are able to cut our analytical time and costs significantly while optimizing our single-cell sequencing capabilities for researchers worldwide to promote faster development of precision medicine." The SeekGene use case is a typical example of how biotechnology researchers can revolutionize their computational analyses by leveraging Big Memory technology in the cloud. These data intensive workloads can now be performed at record speeds and at dramatically lower cost. For the biotechnology industry, this can be a true gamechanger." Jonathan Jiang, Chief Operating Officer, MemVerge. MemVerge Memory Machine enables applications to utilize 100% of available memory capacity across multiple memory types with no code refactoring required, while providing new operational capabilities to memory-centric workloads. MemVerge Memory Machine Cloud Edition extends these benefits to cloud workloads, delivering memory virtualization, in-memory fault-tolerance and mobility services that organizations can easily add to their cloud infrastructure. Stateful, non-fault-tolerant, and long-running apps can now realize the promise of cloud agility and flexibility. More information on Memory Machine Cloud Edition is available here. About MemVerge MemVerge is pioneering Big Memory Computing for a multi-cloud world. Major gaps exist in today's cloud infrastructure for data-intensive high-performance applications. MemVerge® Memory Machine™ delivers software-defined, composable memory and intelligent memory service to bridge these gaps. As a software leader in the CXL ecosystem, MemVerge composable memory technology provisions, tiers, disaggregates, and pools heterogeneous memory to scale memory capacity and decrease memory cost. MemVerge ZeroIO™ in-memory snapshot services transparently checkpoint, clone, replicate, and restore running applications anytime, anywhere in a multi-cloud computing environment. Overall, Big Memory Computing technologies shorten time-to-results and are delivering unprecedented in-memory application availability and mobility for leading enterprises, research institutions and cloud service providers. MemVerge aims to democratize data-intensive compute for researchers, scientists, analysts and engineers around the world, and liberate all workloads to move in multi-cloud environments everywhere.

Read More

VMWARE

CISA recommends VMware, F5 patches. Liquidity mining fraud. Strapi issues patched. TDI clarifies data incident.

CISA | May 20, 2022

VMware yesterday addressed issues in several of its products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. That these are more significant than the ordinary run of patches may be seen by the way the US Cybersecurity and Infrastructure Security Agency (CISA) has discussed them. Alert (AA22-138B), "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control" warns that "malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination." The Alert adds, "CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied." US Federal civilian agencies have until next Monday to identify and remediate the issues, and they're required to report completion no later than Tuesday. Fraudulent liquidity mining. Sophos describes the way the threat of fraudulent liquidity mining is shaping up in decentralized finance systems. "Legitimate liquidity mining exists to make it possible for decentralized finance (DeFi) networks to automatically process digital currency trades," Sophos explains, and criminals are using social engineering to abuse such systems to defraud cryptocurrency investors of their holdings. More loosely regulated than conventional cryptocurrency exchanges, which use market makers and seek to ensure that sufficient reserves are on hand to back trades, DeFi exchanges use Automated Market Makers (AMMs). Sophos explains that "Smart contracts built into the DeFi network have to rapidly determine the relative value of the currencies being exchanged and execute the trade. Since there is no centralized pool of crypto for these distributed exchanges to pull from to complete trades, they rely on crowdsourcing to provide the pool of cryptocurrency capital required to complete a trade—a liquidity pool." Liquidity pool tokens, ("LP tokens") are used to represent the portion of the liquidity pool an investor contributed. But unethical DeFi operators can cancel the tokens (or simply not create a pool to back them in the first place), and this, Sophos observes, offers "ample opportunity for digital Ponzi schemes, fraudulent tokens, and flat-out theft." CMS vulnerabilities disclosed and patched. The Synopsys Cybersecurity Research Center (CyRC) has identified two vulnerabilities in Strapi. Strapi is an open-source headless content management system (CMS) Javascript software that enables developers to quickly design and build content-rich APIs. Both vulnerabilities involve authenticated users with access to the Strapi admin panel having access to private and sensitive data, such as email and password reset tokens. The first vulnerability allows for the authenticated user to view private and sensitive data for other admin panel users that have a relationship with content accessible to the authenticated user. The second vulnerability allows for the authenticated user to view private and sensitive data for API users if content types accessible to the authenticated user contains relationships to API users. The vulnerabilities are fixed in newer, updated versions of Strapi, and Synopsys has commended Strapi for its quick response to the discovery. Texas Department of Insurance clarifies facts surrounding its data incident. The Texas Department of Insurance (TDI) has sent around a fact sheet that clarifies a data incident the agency sustained earlier this year: "In January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because we couldn't rule out access, we took steps to notify those who may have been affected." While data could have been accessed by unauthorized personnel, TDI has investigated and found that, "There is no evidence to date that there was a misuse of information."

Read More

VIRTUAL DESKTOP TOOLS

VMware and Award-Winning Cyber Security Leader guardDog.ai Announce Partnership for Virtual Implementations at 2022 VMware Explore

guardDog | August 10, 2022

Guard Dog Solutions, Inc., dba guardDog.ai, and VMware are now partnered. guardDog.ai is launching the VMware implementation of its Fido 3 technology at the 2022 VMware Explore event at the Moscone Center in San Francisco Aug. 29 – Sept. 1, in booth 1914. As the award-winning leader in real-time cyber security protection for business and consumers, guardDog.ai is using VMware’s Tanzu containerization technology to support hardware-free and entirely remote deployment and management of cyber security protection for any size MSSP or organization. guardDog’s subscription-based Fido technology uses patent-pending artificial intelligence from the company’s cloud-based Autonomous Incident Response (AiR) database to pre-emptively recognize all devices connected to a network (including most especially the IoT and smart device connections device management solutions can’t see). The solution exposes and shuts down most cybersecurity threats before exploits can happen, protecting users and organizations from threats such as ransomware, man-in-the-middle attacks, denial of service, and emerging novel threats, protecting networks and the devices attached to them. “Full virtualization has been on our product roadmap from the date of our inception, I have had the opportunity to partner with VMware through multiple organizations I have founded and led, and am particularly compelled by the power of the containerization architecture exemplified in VMware Tanzu. We are extremely pleased to provide what we believe is one of the most exemplary use cases for Tanzu implementation, and we look forward to using this technology to protect users and networks and to move the needle on the war against cybersecurity for many seasons to come.” Peter Bookman, CEO and founder of guardDog.ai “The implementation of guardDog.ai Fido 3 as a containerized appliance is a game changer, creating opportunities for anyone who wants to keep bad actors out of their systems,” says Industry veteran CIO Steve O'Donnell. “A wide variety of industry colleagues and I have had the opportunity to test Fido pre-launch and can report that it operates as advertised, it is fully automated, simple to implement and provides effective protection that can be deployed anywhere.” With the VMware implementation of guardDog.ai’s Fido technology, MSSPs and IT departments can now replace the Fido hardware plugins with entirely virtual and remotely manageable implementations. This provides exceptional economy and ability to deploy and manage guardDog’s protection remotely, from a single location, for any size of organization or IT customer base. guardDog.ai uses AI-driven overlay technology in Fido to find and protect users and networks from attempted cyberattacks in less than two milliseconds, by identifying the threats that device and network management solutions can’t see and proactively halting potential exploits before they begin. In both wired and Wi-Fi networks, Fido protects network and the device users from the threats across the entire Attack Surface, and most especially within the edge territory outside the perimeter of the network or on attached devices that other solutions cannot see. These include the myriad of IoT (Internet of Things) devices such as specialized health monitoring equipment, printers, doorbells, thermostats, smart refrigerators, smart pens, smart TVs, and game systems that are inherently vulnerable to the networks they join. Thanks to the VMware partnership and implimentation, the ability to obtain and deploy virtualized Fido technology also eliminates the supply chain issues of availability delays, while allowing for instant and continual updates to the AiR database of known threats and suspicious network behavior. For all implementations, the virtualized alternatives for guardDog’s Fido v3 technology is making it possible to cover all areas of the potential Attack Surface with far greater economy and ease than before. About guardDog.ai Guard Dog Solutions Inc., headquartered in Salt Lake City, Utah, guardDog.ai has developed a cloud-based Autonomous Incident Response (AiR) cyber security software service that works together with a companion Fido unit to simplify network security. The solution provides protection and visibility as it exposes invisible threats on networks and the devices attached to them, with patented technology to address and prevent cybersecurity threats before they compromise network environments. Every business, government, healthcare institution, home consumer, or other organization, is grappling to find security solutions that are adapting to this changing world. guardDog.ai is pioneering new innovations designed to meet these challenges.

Read More