ESXi Ransomware Updates Counter Recovery Script; Killnet Targets Airports and Hospitals

Malware Updates: New ESXi Ransomware Variant Counter Recovery Script

Operators behind the ransomware attacks on VMware ESXi servers early February have updated their malware to counter a recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA).[1] The new variant makes recovery of encrypted data nearly impossible.

The ransom note dropped by the new variant asks victims to contact the actor on a TOX messaging service address, whereas previous notes contained a Bitcoin address. [2] It is likely the actor changed the contact details due to the fear of blockchain payment tracking by law enforcement.

It is very likely that the new waves of attacks on ESXi VMware server are executed by multiple ransomware groups. Both Nevada ransomware and Royal ransomware operators have advertised variants for VMware ESXi systems in their community forums.[3, 4]

The attack vector is unknown. EclecticIQ analysts assess with high confidence that exploited VMware ESXi servers are running outdated operating system versions. OSINT reporting refers to the following vulnerabilities that may have been exploited for initial compromise:

• CVE-2021-21974
• CVE-2022-31696
• CVE-2022-31697
• CVE-2022-31698
• CVE-2022-31699

Patches exist for all vulnerabilities and EclecticIQ analysts strongly recommend patching the vulnerabilities, and where possible, to not expose ESXi virtual machines directly to the internet.

Threat Actor Update: Killnet Continues DDoS Attacks Against Airport and Hospital websites

Throughout the first two weeks of February, pro-Russian hacktivist group Killnet continued executing Distributed Denial of Services (DDoS) attacks against airports and hospitals websites in the United States, Germany, and the Netherlands. The group also launched an attack against sites of NATO Special Operations Headquarters (NSHQ). The attacks are almost certainly in response to policy decisions made by Ukraine´s western allies. At the end of January, the US and Germany announced they would send tanks to Ukraine, and hospitals in the Netherlands and Germany are treating wounded Ukrainian soldiers.

EclecticIQ analysts assess with high confidence that Killnet attacks remain unsuccessful. The websites targeted were not vital parts of infrastructure and organizations appeared to be able to recover very quickly from any limited impact of DDoS attacks. According to CISA, “several of the incidents temporarily reduced the availability of the hospitals’ public-facing websites, but there were no reports of unauthorized access to hospital networks, disruption to health care delivery or impacts on patient safety.”[5] The German BSI said it “has no indications of direct effects on the respective service and, [..] are not to be expected if the usual protective measures against DDoS attacks are taken. Dutch NCSC assessed that “the DDoS attacks are successfully mitigated and the impact of the attacks [was] limited.”[6]

Vulnerabilities: CISA warns of Windows and iOS bugs Exploited in the Wild

On 14th February, Windows released patches for 75 vulnerabilities, including three actively exploited zero-day flaws (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823). [7]

CVE-2023-21715 could allow attackers to bypass Office macro policies that block untrusted or malicious files. · CVE-2023-23376 affects the Windows Common Log File System. If exploited an attacker could obtain SYSTEM privileges on a target machine. · CVE-2023-21823 concerns the Windows Graphics Component and could lead to remote code execution and total takeover of a vulnerable system.

A CISA alert warned about the vulnerabilities being actively exploited in the wild. [8] The alert also warns about an Apple vulnerability (CVE-2023-23529) that leads to arbitrary code execution. Apple released a patch on Monday, February 13th. [9]

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware

Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon

Security Service of Ukraine and NATO Allies Potentially Targeted by Russian State-Sponsored Threat Actor

Appendix

1. "ESXiArgs Ransomware Virtual Machine Recovery Guidance | CISA.” https://www.cisa.gov/uscert/ncas/alerts/aa23-039a (accessed Feb. 16, 2023).
2. “New Nevada Ransomware targets Windows and VMware ESXi systems,” BleepingComputer. https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/ (accessed Feb. 17, 2023).
3. “New Nevada Ransomware Targets Windows and VMware ESXi Systems | NCERT.” https://www.ncert.gov.ph/2023/02/03/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/  (accessed Feb. 17, 2023).
4. C. Pernet, “Royal ransomware spreads to Linux and VMware ESXi,” TechRepublic, Feb. 10, 2023. https://www.techrepublic.com/article/royal-ransomware-linux-vmware-esxi/  (accessed Feb. 17, 2023).
5. “CISA says Killnet DDoS attacks on U.S. hospitals had little effect,” The Record from Recorded Future News, Feb. 07, 2023. https://therecord.media/ddos-hospitals-cisa-killnet-limited-effects/  (accessed Feb. 17, 2023).
6. N. C. S. Centrum, “Nederlandse ziekenhuizen doelwit van DDoS-aanvallen - Nieuwsbericht - Nationaal Cyber Security Centrum,” Feb. 01, 2023. https://www.ncsc.nl/actueel/nieuws/2023/februari/1/nederlandse-ziekenhuizen-getroffen-door-ddos-aanvallen  (accessed Feb. 17, 2023).
7. R. Naraine, “Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days,” SecurityWeek, Feb. 14, 2023. https://www.securityweek.com/patch-tuesday-microsoft-warns-of-exploited-windows-zero-days/  (accessed Feb. 17, 2023).
8. “CISA Adds Seven Known Exploited Vulnerabilities to Catalog | CISA.” https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/cisa-adds-seven-known-exploited-vulnerabilities-catalog (accessed Aug. 23, 2022).
9. E. Kovacs, “Apple Patches Actively Exploited WebKit Zero-Day Vulnerability,” SecurityWeek, Feb. 14, 2023. https://www.securityweek.com/apple-patches-actively-exploited-webkit-zero-day-vulnerability/ (accessed Feb. 17, 2023).