Issue 08: SEXi Ransomware Demands $140 Million Ransom, LockBit's Failed Comeback and More
CloudGuard
We help organisations proactively detect and automatically remediate cyber threats in real-time.
Top stories – 05 April 2024
Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution
A critical security vulnerability has been discovered in XZ Utils, a popular open-source library used across major Linux distributions, enabling remote code execution. This supply chain compromise, identified as CVE-2024-3094 with a CVSS score of 10.0, was brought to light by Microsoft engineer and PostgreSQL developer Andres Freund, who noticed unusual CPU usage by sshd processes, sparking an investigation that uncovered a backdoor in the data compression utility. This backdoor allows remote attackers to bypass secure shell (SSH) authentication and gain complete control over an affected system.
The malicious code was inserted by a project maintainer, Jia Tan (also known as Jia Cheong Tan or JiaT75), in a sophisticated long-term operation that began nearly two years ago. Tan, who had gradually built credibility within the XZ project community, was eventually given maintainer responsibilities. The breach involves the deliberate use of sockpuppet accounts to manipulate the project's maintenance structure, leading to the release of compromised versions 5.6.0 and 5.6.1 of XZ Utils.
The incident has been described as a complex, possibly state-sponsored operation due to its sophistication and planning. The vulnerability allows remote attackers to send arbitrary payloads through an SSH certificate, executed in a manner that circumvents authentication, posing a significant risk to any machine with the vulnerable package exposed to the internet.
Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure
Ivanti has issued security updates to mitigate four vulnerabilities in Connect Secure and Policy Secure Gateways, which pose risks of code execution and denial-of-service (DoS) attacks.
These vulnerabilities are:
Ivanti has not identified any exploitation of these vulnerabilities at the disclosure time. Additionally, the company recently patched critical flaws in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) and on-premises Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9), both of which could lead to unauthorised command execution and arbitrary file writes, respectively.
In response to recent challenges, Ivanti's CEO Jeff Abbott highlighted measures to overhaul the company's security posture, including adopting secure-by-design principles, enhancing bug bounty programs, and increasing transparency and engagement with customers to address vulnerabilities more effectively.
SEXi Ransomware Desires VMware Hypervisors in Ongoing Campaign
A new variant of the Babuk ransomware, dubbed "SEXi," is targeting VMware ESXi servers, including a notable attack on IxMetro PowerHost, a Chilean data center hosting company. The attackers encrypted files with the .SEXi extension and demanded a $140 million ransom, which the company's CEO, Ricardo Rubem, stated would not be paid. The method of initial access remains unknown. This variant is part of a broader trend of exploiting the Babuk source code and a growing interest in VMware ESXi servers due to their valuable data and the challenge of securing them.
领英推荐
Will Thomas, a CTI researcher, linked SEXi to a wider campaign affecting at least three Latin American countries, with related binaries named Socotra, Limpopo, and Formosa showing zero detections on VirusTotal at the time of reporting. The malware operators' origins and intentions are unclear, but their use of geographic names for binaries and the encrypted messaging app Session for communication indicate emerging tactics.
VMware ESXi's popularity among ransomware gangs is attributed to its large attack surface, the difficulty of securing these servers, and their potential to host multiple data-rich VMs. VMware offers guidance on securing ESXi environments, emphasising the importance of updates, password hardening, and backup strategies.
LockBit Ransomware Takedown Strikes Deep Into Brand's Viability
Despite LockBit ransomware-as-a-service (RaaS) group's claim of resurgence following a significant takedown in mid-February, an analysis indicates persistent disruption to its activities and broader implications for cybercrime. LockBit, responsible for up to 33% of 2023's ransomware attacks, suffered a major setback from Operation Cronos, conducted by global law enforcement. This operation led to outages of LockBit-affiliated platforms, a takeover of its leak site by the UK's National Crime Agency (NCA), and various actions against the group's operations, including arrests and cryptocurrency seizures.
The operation exposed the LockBit admin panel and affiliate identities, undermining the group's reputation in the cybercrime community. Trend Micro's analysis shows little evidence of LockBit's recovery, highlighting its diminished standing and the operation's unique effectiveness compared to other RaaS group takedowns.
The cybercrime community's reaction includes LockBitSupp's ban from major forums, public allegations of fraud against him, and a general hesitance to associate with LockBit. This sentiment extends to speculation about LockBitSupp collaborating with law enforcement, fueled by a PHP vulnerability claim.
LockBit's attempted comeback includes new Tor leak sites and efforts to recruit initial access brokers (IABs), but has shown limited success. Trend Micro notes a new ransomware version, Lockbit-NG-Dev, indicating ongoing but weakened activity.
Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Vaughan Carey (SOC Leader).
If you like what you've read, subscribe so you don't miss next week's roundup!