French and Italian cybersecurity agencies have warned of a new ransomware scheme targeting thousands of computer networks in their countries, as well as the United States and Canada, using a two-year-old vulnerability in a widely used virtual machine package.
The National Cybersecurity Agency of Italy warned of a “massive” potential threat using vulnerabilities in VMware ESXi, used to deploy virtual computers. VMware issued patches in early 2021.
HOW BIDEN CAN DETER MAJOR RUSSIAN CYBERATTACKS
With the VMware ESXi package a popular product, organizations should be “very concerned” about this new ransomware attack, said Harmandeep Singh, director at Cyphere, a cybersecurity services provider. Organizations running VMware ESXi should patch the software immediately if they have not already done so, he advised.
“This attack has the potential to cause significant damage,” he added. “It has already been used to target computer systems in multiple countries and, if left unchecked, could lead to the loss of data and financial resources. Additionally, it could allow malicious actors to gain access to confidential information and potentially cause disruption to critical systems.”
There’s a risk beyond ransomware with this new attack, added Chris Jacob, global vice president of the Threat Intelligence Engineers group at ThreatQuotient. The vulnerabilities could be used to gain access to computer systems and look around, he said.
“Ransomware is a quick indicator that you have been attacked, and hopefully, this will serve as a call to action,” Jacob told the Washington Examiner. “However, you have to wonder how many more advanced adversaries are using this as an attack vector for a more long-term reconnaissance play.”
The warnings of the attacks seem to indicate that many ESXi servers are still running the vulnerable service found more than two years ago, he added: “How many attackers over those two years have gained access and haven’t exposed themselves over the last two years?”
The two cybersecurity agencies didn’t name a suspect in the ransomware attacks, but Russia-linked LockBit, a ransomware gang, claimed responsibility for a similar attack on financial services company ION Trading UK in late January and on the United Kingdom’s Royal Mail service in early February.
The LockBit ransomware has been around since about January 2020, according to the Department of Justice. Members of the LockBit gang had made at least $100 million in ransom demands as of November, and they had received payments totaling in the tens of millions of dollars, the DOJ said.
LockBit is infamous for attacking the Hospital for Sick Children in Toronto in December. It later apologized and gave the hospital the tools to decrypt the encrypted data.
LockBit is known to exploit vulnerabilities in VMware ESXi, making it a likely culprit for the additional attacks, Singh noted. However, LockBit often claims responsibility for its attacks, and some cybersecurity experts have noted that the attack appears to come from a new ransomware family not previously used by LockBit.
It appears that these new attacks are using another ransomware called Royal, which often targets Linux systems, said Jon Clay, vice president of threat intelligence at cybersecurity company Trend Micro. A Russian group linked to the Conti ransomware package may be associated with the new attacks, but other groups such as Black Basta, HelloKitty, and Hive have all targeted Linux and ESXi servers in the past, he added.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
It appears that many organizations using the VMware package have patched the identified vulnerability, but some scans suggest that many other organizations have not, Clay told the Washington Examiner. “Many servers open to the internet still show not being patched, and their owners should either patch now and/or remove the server from the internet,” he added.
Like Jacob, Clay suggested unpatched ESXi servers can cause major problems. “If a VMware ESXi server has been compromised, there are a number of potential attacks that could be done, but what we’re seeing mostly today are ransomware-based attacks that encrypt files and data on these systems,” he said.
