EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

ESXi Ransomware Updates Counter Recovery Script; Killnet Targets Airports and Hospitals

In this version of the Analyst Prompt, EclecticIQ analysts review recent attack changes on ESXi VMware servers, continued DDoS attacks by Killnet, and Windows and Apple vulnerabilities exploited in the wild.

EclecticIQ Threat Research Team February 21, 2023

tap-3-2023

Malware Updates: New ESXi Ransomware Variant Counter Recovery Script

Operators behind the ransomware attacks on VMware ESXi servers early February have updated their malware to counter a recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA).[1] The new variant makes recovery of encrypted data nearly impossible.

The ransom note dropped by the new variant asks victims to contact the actor on a TOX messaging service address, whereas previous notes contained a Bitcoin address. [2] It is likely the actor changed the contact details due to the fear of blockchain payment tracking by law enforcement.

It is very likely that the new waves of attacks on ESXi VMware server are executed by multiple ransomware groups. Both Nevada ransomware and Royal ransomware operators have advertised variants for VMware ESXi systems in their community forums.[3, 4]

The attack vector is unknown. EclecticIQ analysts assess with high confidence that exploited VMware ESXi servers are running outdated operating system versions. OSINT reporting refers to the following vulnerabilities that may have been exploited for initial compromise:

  • CVE-2021-21974
  • CVE-2022-31696
  • CVE-2022-31697
  • CVE-2022-31698
  • CVE-2022-31699

Patches exist for all vulnerabilities and EclecticIQ analysts strongly recommend patching the vulnerabilities, and where possible, to not expose ESXi virtual machines directly to the internet.

Threat Actor Update: Killnet Continues DDoS Attacks Against Airport and Hospital websites

Throughout the first two weeks of February, pro-Russian hacktivist group Killnet continued executing Distributed Denial of Services (DDoS) attacks against airports and hospitals websites in the United States, Germany, and the Netherlands. The group also launched an attack against sites of NATO Special Operations Headquarters (NSHQ). The attacks are almost certainly in response to policy decisions made by Ukraine´s western allies. At the end of January, the US and Germany announced they would send tanks to Ukraine, and hospitals in the Netherlands and Germany are treating wounded Ukrainian soldiers.

EclecticIQ analysts assess with high confidence that Killnet attacks remain unsuccessful. The websites targeted were not vital parts of infrastructure and organizations appeared to be able to recover very quickly from any limited impact of DDoS attacks. According to CISA, “several of the incidents temporarily reduced the availability of the hospitals’ public-facing websites, but there were no reports of unauthorized access to hospital networks, disruption to health care delivery or impacts on patient safety.”[5] The German BSI said it “has no indications of direct effects on the respective service and, [..] are not to be expected if the usual protective measures against DDoS attacks are taken. Dutch NCSC assessed that “the DDoS attacks are successfully mitigated and the impact of the attacks [was] limited.”[6]

Vulnerabilities: CISA warns of Windows and iOS bugs Exploited in the Wild

On 14th February, Windows released patches for 75 vulnerabilities, including three actively exploited zero-day flaws (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823). [7]

CVE-2023-21715 could allow attackers to bypass Office macro policies that block untrusted or malicious files. · CVE-2023-23376 affects the Windows Common Log File System. If exploited an attacker could obtain SYSTEM privileges on a target machine. · CVE-2023-21823 concerns the Windows Graphics Component and could lead to remote code execution and total takeover of a vulnerable system.

A CISA alert warned about the vulnerabilities being actively exploited in the wild. [8] The alert also warns about an Apple vulnerability (CVE-2023-23529) that leads to arbitrary code execution. Apple released a patch on Monday, February 13th. [9]

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware

Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon

Security Service of Ukraine and NATO Allies Potentially Targeted by Russian State-Sponsored Threat Actor


Appendix

  1. "ESXiArgs Ransomware Virtual Machine Recovery Guidance | CISA.” https://www.cisa.gov/uscert/ncas/alerts/aa23-039a (accessed Feb. 16, 2023).
  2. “New Nevada Ransomware targets Windows and VMware ESXi systems,” BleepingComputer. https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/ (accessed Feb. 17, 2023).
  3. “New Nevada Ransomware Targets Windows and VMware ESXi Systems | NCERT.” https://www.ncert.gov.ph/2023/02/03/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/  (accessed Feb. 17, 2023).
  4. C. Pernet, “Royal ransomware spreads to Linux and VMware ESXi,” TechRepublic, Feb. 10, 2023. https://www.techrepublic.com/article/royal-ransomware-linux-vmware-esxi/  (accessed Feb. 17, 2023).
  5. “CISA says Killnet DDoS attacks on U.S. hospitals had little effect,” The Record from Recorded Future News, Feb. 07, 2023. https://therecord.media/ddos-hospitals-cisa-killnet-limited-effects/  (accessed Feb. 17, 2023).
  6. N. C. S. Centrum, “Nederlandse ziekenhuizen doelwit van DDoS-aanvallen - Nieuwsbericht - Nationaal Cyber Security Centrum,” Feb. 01, 2023. https://www.ncsc.nl/actueel/nieuws/2023/februari/1/nederlandse-ziekenhuizen-getroffen-door-ddos-aanvallen  (accessed Feb. 17, 2023).
  7. R. Naraine, “Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days,” SecurityWeek, Feb. 14, 2023. https://www.securityweek.com/patch-tuesday-microsoft-warns-of-exploited-windows-zero-days/  (accessed Feb. 17, 2023).
  8. “CISA Adds Seven Known Exploited Vulnerabilities to Catalog | CISA.” https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/cisa-adds-seven-known-exploited-vulnerabilities-catalog (accessed Aug. 23, 2022).
  9. E. Kovacs, “Apple Patches Actively Exploited WebKit Zero-Day Vulnerability,” SecurityWeek, Feb. 14, 2023. https://www.securityweek.com/apple-patches-actively-exploited-webkit-zero-day-vulnerability/ (accessed Feb. 17, 2023).

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2023 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo