VMware | February 09, 2022
As the most common cloud operating system, Linux is a core part of digital infrastructure and is quickly becoming an attacker’s ticket into a multi-cloud environment. Current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks that target Linux-based workloads.
VMware, Inc. released a threat report titled “Exposing Malware in Linux-based Multi-Cloud Environments.” Key findings that detail how cybercriminals are using malware to target Linux-based operating systems include:
Ransomware is evolving to target Linux host images used to spin workloads in virtualized environments;
89 percent of cryptojacking attacks use XMRig-related libraries; and
More than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly.
Cybercriminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible. Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that compromising a single server can deliver the massive payoff and access they’re looking for. Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures are mostly focused on addressing Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.”
Giovanni Vigna, senior director of threat intelligence at VMware
As malware targeting Linux-based operating systems increases in both volume and complexity amid a rapidly changing threat landscape, organizations must place a greater priority on threat detection. In this report, the VMware Threat Analysis Unit (TAU) analyzed the threats to Linux-based operating systems in multi-cloud environments: ransomware, cryptominers, and remote access tools.
Ransomware Targets the Cloud to Inflict Maximum Damage
As one of the leading breach causes for organizations, a successful ransomware attack on a cloud environment can have devastating consequences.(2) Ransomware attacks against cloud deployments are targeted, and are often combined with data exfiltration, implementing a double-extortion scheme that improves the odds of success. A new development shows that ransomware is evolving to target Linux host images used to spin workloads in virtualized environments. Attackers are now looking for the most valuable assets in cloud environments to inflict the maximum amount of damage to the target. Examples include the Defray777 ransomware family, which encrypted host images on ESXi servers, and the DarkSide ransomware family, which crippled Colonial Pipeline’s networks and caused a nationwide gasoline shortage in the U.S.
Cryptojacking Attacks Use XMRig to Mine Monero
Cybercriminals looking for an instant monetary reward often target cryptocurrencies using one of two approaches. Cybercriminals either include wallet-stealing functionality in malware or they monetize stolen CPU cycles to successfully mine cryptocurrencies in an attack called cryptojacking. Most cryptojacking attacks focus on mining the Monero currency (or XMR) and VMware TAU discovered that 89 percent of cryptominers used XMRig-related libraries. For this reason, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of malicious cryptomining behavior. VMware TAU also observed that defense evasion is the most commonly used technique by cryptominers. Unfortunately, because cryptojacking attacks do not completely disrupt the operations of cloud environments like ransomware, they are much more difficult to detect.
Cobalt Strike Is Attackers’ Remote Access Tool of Choice
In order to gain control and persist within an environment, attackers look to install an implant on a compromised system that gives them partial control of the machine. Malware, webshells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access. One of the primary implants used by attackers is Cobalt Strike, a commercial penetration testing and red team tool, and its recent variant of Linux-based Vermilion Strike. Since Cobalt Strike is such a ubiquitous threat on Windows, the expansion out to the Linux-based operating system demonstrates the desire of threat actors to use readily available tools that target as many platforms as possible.
VMware TAU discovered more than 14,000 active Cobalt Strike Team Servers on the Internet between February 2020 and November 2021. The total percentage of cracked and leaked Cobalt Strike customer IDs is 56 percent, meaning that more than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly. The fact that RATs like Cobalt Strike and Vermilion Strike have become a commodity tool for cybercriminals poses a significant threat to enterprises.
“Since we conducted our analysis, even more ransomware families were observed gravitating to malware targeting Linux-based systems, with the potential for additional attacks that could leverage the Log4j vulnerabilities,” said Brian Baskin, manager of threat research at VMware. “The findings in this report can be used to better understand the nature of this malware and mitigate the growing threat that ransomware, cryptomining, and RATs have on multi-cloud environments. As attacks targeting the cloud continue to evolve, organizations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface.”
The VMware Threat Analysis Unit (TAU) helps protect customers from cyberattacks through innovation and world-class research. TAU is composed of malware analysts, reverse engineers, threat hunters, data scientists, and intelligence analysts at VMware. To understand how to detect and prevent attacks that bypass traditional, file-centric, prevention strategies, TAU focuses on techniques that were once the domain of advanced hackers and are now moving downstream into the commodity attack market. The team leverages real-time big data, event streaming processing, static, dynamic and behavioral analytics, and machine learning.
TAU applied a composition of static and dynamic techniques to characterize various families of malware observed on Linux-based systems based on a curated dataset of metadata associated with Linux binaries. All the samples in this dataset are public and therefore they can be easily accessed using VirusTotal or various websites of major Linux distributions. TAU collected more than 11,000 benign samples from several Linux distributions, namely, Ubuntu, Debian, Mint, Fedora, CentOS, and Kali. TAU then collected a dataset of samples for two classes of threats, namely ransomware and cryptominers. Finally, TAU collected a dataset of malicious ELF binaries from VirusTotal that were used as a test malicious dataset. TAU started collecting the dataset in June 2021 and concluded in November 2021.
VMware is a leading provider of multi-cloud services for all apps, enabling digital innovation with enterprise control. As a trusted foundation to accelerate innovation, VMware software gives businesses the flexibility and choice they need to build the future. Headquartered in Palo Alto, California, VMware is committed to building a better future through the company’s 2030 Agenda.
VIRTUAL SERVER INFRASTRUCTURE
Mavenir | February 24, 2022
Mavenir, the Network Software Provider building the future of networks with cloud-native software that runs on any cloud and transforms the way the world connects, announces a wide portfolio of O-RAN compliant Radio Units (RUs) – expanding the Open RAN radio ecosystem, to provide Communications Service Providers (CSPs) with a wider choice of radios as they progress in rolling out open and interoperable networks.
OpenBeam, the Future of Radio, is providing CSPs with a comprehensive portfolio of O-RAN compliant radio products spanning micro, macro, millimeter wave (mmWave) and massive MIMO (mMIMO) to support Open RAN deployments in 2022 and beyond.
The OpenBeam radio portfolio covers a wide range of spectrum, both licensed and unlicensed and strictly follows the philosophy of open interfaces and O-RAN 7.2 interface to which Mavenir is strongly committed with Open RAN CU/DU products. OpenBeam radios will be available to the Open RAN Ecosystem including vendors, operators, and system integrators.
According to Dell’Oro’s January 2022 reporti, total Open RAN revenues remain on track to approach $6B or 15% of the overall RAN market by 2026. Additionally, in the Remote Radio Unit (RRU) and Active Antennas Unit (AAU), the growth of Open RAN Units shows CAGR >50% versus a declining number of traditional legacy radios.
Alongside a strong existing ecosystem of partners that Mavenir MAVair Open vRAN interworks with (more than 15 O-RAN RRU partners), the new OpenBeam suite provides an innovative and comprehensive radio portfolio that is specifically designed for the growing needs of CSPs with agile, cost-efficient, smart radios to meet critical demands on the network now, and as the network changes and expands.
The radio solutions can be used for a wide range of use cases, including basic coverage across all frequency bands for enterprise, urban and rural deployment opportunities. The robust set of options address the needs of CSPs to be agile and cost-efficient with low power consumption, low wind load, and are built with integrated intelligence and automation. Designed for the growing needs of private enterprises to public networks, the portfolio supports both new and legacy radio access technologies. All radios have a modular design, using proven technology to support both beamforming and multi-band needs.
We have engaged with customers globally to curate a comprehensive O-RAN portfolio that addresses the needs of both private enterprises as well as traditional communication providers. OpenBeam portfolio covers a wide range of deployment scenarios starting from micro-RUs to 64TR Massive MIMO Radios. OpenBeam radios deliver industry-leading performance and energy efficiency packed in a small footprint.”
Rajesh Srinivasa, Senior Vice President of Radio Business Unit at Mavenir
Pardeep Kohli, Chief Executive Officer at Mavenir, said, “With the incredible growth of virtualization and Open RAN, we always believed that the ecosystem had to be accelerated as this is fundamental for the success of the future of networks. Mavenir has been working with many partners in the ecosystem, and we have also injected more direct contributions when it comes to innovative design.
“Mavenir is a strong believer in new generation software-based networks which are orchestrated by artificial intelligence (AI) and analytics software and adapt in a dynamic way to the user behaviors and market demands. The intelligent, dynamic and adaptable software, together with strong underlying automation, is what drives innovation in the future of networks.”
Mavenir is building the future of networks and pioneering advanced technology, focusing on the vision of a single, software-based automated network that runs on any cloud. As the industry's only end-to-end, cloud-native network software provider, Mavenir is focused on transforming the way the world connects, accelerating software network transformation for 250+ Communications Service Providers in over 120 countries, which serve more than 50% of the world’s subscribers.
Liquidware | February 08, 2022
Liquidware, the leader in digital workspace management, announced that CRN, a brand of The Channel Company, has named Anthony Keller, Director, US Channels, Liquidware, to its 2022 Channel Chiefs list. CRN's annual Channel Chiefs project identifies top IT channel vendor executives who continually demonstrate expertise, influence and innovation in channel leadership.
A panel of CRN editors selected the honorees for their channel dedication, industry stature and accomplishments as channel advocates. The 2022 Channel Chiefs are influential leaders who continue to shape the IT channel with innovative strategies, programs and partnerships.
Having been a previous recipient of this accolade, I am delighted that Anthony's efforts in reinvigorating our channel and his leadership have been recognized. For 2022, we will accelerate our 'channel first' strategy to help further expand our existing Enterprise focus. This recognition for Anthony signals Liquidware's enhanced focus on deep relationships with leading "trusted advisor" channel organizations."
Chris Akerberg, President and COO, Liquidware
During 2021, Anthony and his channel team achieved the following results:
Increased active channel partners by 30%
Average deal size through the channel grew by 70%
Registered deal pipeline grew by 18%
License sales through the channel increased 28% year-on-year
Anthony holds an MBA from St. John's University, graduating in the top 10 percent of his class. Starting his career at AppSense, Anthony moved to VMware to build and scale the newly created VMware Cloud Provider Program working closes with MSPs. During his six years at VMware he was part of a team that grew the SaaS business 30%+ year-on-year. Being focused on the EUC space throughout his career, joining Liquidware to build and scale their channel program was a natural career progression.
XenTegra is a Liquidware Center of Excellence and Acceler8 partner, their CEO Andy Whiteside commented, "Partnering with Liquidware is a pleasure for the team at XenTegra. Their solutions solve problems that our Digital Workspace focused company needs to help our customers. They understand how VARs work and communicate with us weekly to drive solution oriented outcomes for the customers we both serve."
"CRN's 2022 Channel Chiefs recognition is given exclusively to the foremost channel executives who consistently design, promote, and execute effective partner programs and strategies," said Blaine Raddon, CEO of The Channel Company. "We're thrilled to recognize the tireless work and unwavering commitment these honorees put into fostering outstanding business innovation and building strong partner programs to drive channel engagement and success."
Liquidware is a leader in digital workspace management solutions for Windows workspaces. The company's products encompass all facets of management to ensure the ultimate user experience across all workspaces – physical, virtual, DaaS or in the cloud. Enterprises across the globe utilize Liquidware solutions to dramatically decrease time spent managing workspaces, while delivering increased security, flexibility and scalability. Supported platforms include Microsoft physical, Azure Virtual Desktop (AVD), and RDS desktops, Citrix Virtual Apps and Desktops, VMware Horizon, Amazon WorkSpaces, and Nutanix Frame. Liquidware products are available through a global network of partners.
About The Channel Company
The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers, and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace.
CISA | May 20, 2022
VMware yesterday addressed issues in several of its products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. That these are more significant than the ordinary run of patches may be seen by the way the US Cybersecurity and Infrastructure Security Agency (CISA) has discussed them. Alert (AA22-138B), "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control" warns that "malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination." The Alert adds, "CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied." US Federal civilian agencies have until next Monday to identify and remediate the issues, and they're required to report completion no later than Tuesday.
Fraudulent liquidity mining.
Sophos describes the way the threat of fraudulent liquidity mining is shaping up in decentralized finance systems. "Legitimate liquidity mining exists to make it possible for decentralized finance (DeFi) networks to automatically process digital currency trades," Sophos explains, and criminals are using social engineering to abuse such systems to defraud cryptocurrency investors of their holdings.
More loosely regulated than conventional cryptocurrency exchanges, which use market makers and seek to ensure that sufficient reserves are on hand to back trades, DeFi exchanges use Automated Market Makers (AMMs). Sophos explains that "Smart contracts built into the DeFi network have to rapidly determine the relative value of the currencies being exchanged and execute the trade. Since there is no centralized pool of crypto for these distributed exchanges to pull from to complete trades, they rely on crowdsourcing to provide the pool of cryptocurrency capital required to complete a trade—a liquidity pool." Liquidity pool tokens, ("LP tokens") are used to represent the portion of the liquidity pool an investor contributed. But unethical DeFi operators can cancel the tokens (or simply not create a pool to back them in the first place), and this, Sophos observes, offers "ample opportunity for digital Ponzi schemes, fraudulent tokens, and flat-out theft."
CMS vulnerabilities disclosed and patched.
Texas Department of Insurance clarifies facts surrounding its data incident.
The Texas Department of Insurance (TDI) has sent around a fact sheet that clarifies a data incident the agency sustained earlier this year: "In January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because we couldn't rule out access, we took steps to notify those who may have been affected." While data could have been accessed by unauthorized personnel, TDI has investigated and found that, "There is no evidence to date that there was a misuse of information."