Security News
Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection.A modified level of trust is not enough for the ESXi system to accept it by default but the attacker also used the '-force' flag to install the malicious VIBs.
Emerging covert malware families that target VMware environments could allow criminals to gain persistent administrative access to the hypervisor, transfer files, and execute arbitrary commands between virtual machines, according to VMware and Mandiant, which discovered the software nasty earlier this year. Prior to this discovery, both VMware and Mandiant say they hadn't seen persistent malware with these capabilities deployed on VMware hypervisors or guest systems in the wild.
According to VMware, such movements were observed in 25% of all attacks. One of the best things that organizations can do to counter these types of attacks is to look for ways to improve overall visibility.
VMware and Microsoft are warning of an ongoing, widespread Chromeloader malware campaign that has evolved into a more dangerous threat, seen dropping malicious browser extensions, node-WebKit malware, and even ransomware in some cases. On Friday evening, Microsoft warned about an "Ongoing wide-ranging click fraud campaign" attributed to a threat actor tracked as DEV-0796 using Chromeloader to infect victims with various malware.
VMware is warning that ESXi VMs running on Linux kernel 5.19 can have up to a 70% performance drop when Retbleed mitigations are enabled compared to the Linux kernel 5.18 release. More specifically, the VMware performance team noticed regressions on ESXi virtual machines of up to 70% in computing, 30% in networking, and 13% in storage.
VMware has admitted an update on some versions of its Carbon Black endpoint solution is responsible for BSODs and boot loops on Windows machines after multiple organizations were affected by the problem. The problem surfaced yesterday, with threat hunter Tim Geschwindt stating on Twitter he knew of about 50 organizations struggling with the issue, and saying the Carbon Black endpoint solution was "Causing blue screens of death for devices running sensor version 3.7.0.1253".
Windows servers and workstations at dozens of organizations started to crash earlier today because of an issue caused by certain versions of VMware's Carbon Black endpoint security solution. The root of the problem is a ruleset deployed today to Carbon Black Cloud Sensor 3.6.0.1979 - 3.8.0.398 that causes devices to crash and show a blue screen at startup, denying access to them.
Proof-of-concept exploit code is now publicly available online for a critical authentication bypass security flaw in multiple VMware products that enables attackers to gain admin privileges.A week ago, VMware released updates to address the vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation.
VMware found a quarter of all ransomware attacks included double-extortion techniques, with top methods including blackmail, data auction and name and shame The use of deepfakes also shot up this year, by 13 percent to 66 percent of respondents reporting they had featured in an attack. 65 percent of respondents noted that cyberattacks had increased since Russia invaded Ukraine and 62 percent said they'd been on the receiving end of zero-day exploits.
VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws. "Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority," Claire Tillis, senior research engineer with Tenable's Security Response Team, said in an email to Threatpost.