alert — Black Arrow Cyber Consulting

Posts tagged alert

Black Arrow Cyber Advisory – LockBit Ransomware Now Actively Targeting VMware ESXi Hosts

Black Arrow Cyber Advisory – LockBit Ransomware Now Actively Targeting VMware ESXi Hosts

Executive Summary

LockBit, a ransomware gang that first came to prominence in 2021, has made improvements to its Ransomware-as-a-Service (RaaS), advertising that it will now actively target VMware ESXi virtual machines. VMware ESXi is a highly popular virtualisation platform and is found in most business environments globally and allows for the consolidation of software servers and services onto a single physical machine, saving both space and costs. The new LockBit features include the ability to find all running Virtual Machines (VMs) and manipulate their power states to ensure they are encrypted successfully.

What’s the risk to me or my business?

Due to the popularity of ESXi, there is an increased risk to those running the platform. The changes demonstrate that RaaS operators are keenly aware that businesses present lucrative targets, actively implementing features that have the greatest potential for harm in an enterprise environment.

What can I do?

Ensure that your systems and services across your network remain up-to-date and current. Attackers will often use a combination of bugs, vulnerabilities and misconfigurations to breach an environment before going on to exploit other devices. For ESXi specifically, consider disabling Secure Shell (SSH) if enabled, and ensure the use of TLS (HTTPS) on any exposed web interfaces.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow AdminJanuary 28, 2022black arrow, black arrow cyber, threat advisory, alert, vmware, esxi, lockbit

Black Arrow Cyber Advisory – “PwnKit” Bug Allows Root Access on the Ubiquitous Linux Operating System

Black Arrow Cyber Advisory – “PwnKit” Bug Allows Root Access on the Ubiquitous Linux Operating System

Executive Summary

Security researchers have revealed a new toolkit bug in the Linux operating system, the software that drives most of the world. Linux is found everywhere, from firewalls and network switches to cars and huge industrial machines. The tool, ‘pkexec’, was found to be vulnerable to privilege escalation, allowing an attacker to gain root or administrator privileges with ease.

What’s the risk to me or my business?

As Linux runs in almost every environment in the world, an attacker with access to the system could exploit the vulnerability to take control. The attack can become particularly potent when used in combination with other exploits on an unpatched system. Security researchers note the attack is ‘trivially exploitable’, leading to a dangerous situation if a system is indeed susceptible.

What can I do?

A patch has been issued for the bug, which should be implemented as soon as possible on any device that may be running Linux. It is recommended that systems in general be patched as often as practicable to reduce overall risk.

Technical Summary

Security researchers have disclosed a buffer overflow attack in Polkit, a tool allowing programs without special privileges to run safely with services requiring root. The bug exploits environment variables, allowing an attacker to use NULL references to craft the overflow. As a result a malicious user could, even on an account with minimal privileges, use the misalignment to introduce dangerous environment variables to elevate their session.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow AdminJanuary 27, 2022black arrow cyber, black arrow, threat intelligence, threat advisory, alert, pwnkit, linux, root

Black Arrow Cyber Advisory – 20,000 HP Servers Have Their Management Interface Exposed to the Internet

Black Arrow Cyber Advisory – 20,000 HP Servers Have Their Management Interface Exposed to the Internet

Executive Summary

Integrated Lights Out (iLO) is a low-level management interface on Hewlett-Packard (HP) servers, intended for out-of-band or outside-of-operating system access. The service is most used by IT staff managing the device for remote support operations, such as powering the system off, updating firmware or viewing the display via the network. Despite a recent and serious bug dubbed ‘iLOBleed’, approximately 24,000 iLO devices are still exposed to the internet and searchable with Google.

What’s the risk to me or my business?

HP servers are very common in business settings and remain the popular choice globally. Most of these servers come with iLO pre-installed, which makes them a lucrative target to attackers when vulnerable, particularly given their low-level access. In combination with vulnerabilities like ‘iLOBleed’, remotely exposing iLO to the web presents a low hanging fruit that may be too attractive to pass up.

What can I do?

Check with your IT team or MSP to ensure that you aren’t exposing anything to the web that shouldn’t be there, even beyond iLO. Misconfigurations or services such as Universal Plug and Play (UPNP) can expose devices without your knowledge, leaving you open to attack where the exposed systems are vulnerable.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Black Arrow AdminJanuary 27, 2022black arrow, black arrow cyber, threat advisory, threat alert, alert, hp, server, hp ilo

Urgent: We are receiving an increasing number of reports of email addresses ending in cwgsy.net sending phishing emails

Urgent: We are receiving an increasing number of reports of email addresses ending in cwgsy.net sending phishing emails. The most likely cause of this is unauthorised access to the mailbox using credentials harvested from other breaches.

Black Arrow AdminJune 25, 2021phishing, alert, cwgsy.net, scams, credential stuffing, credential harvesting, bitcoin

Blog