Surge of Attacks on VMware Hosts, Threat Intel Firm SaysVMware Issued Patches But Threat Actors Continue to Scan for Vulnerabilities
Weeks after security company VMware issued patches to address vulnerabilities in its vSphere Client (HTML5), threat intelligence firm Bad Packets says threat actors are mass scanning for vSphere hosts vulnerable to remote code execution, just as VMWare’s Global Security Insights Report catalogs increasing attacks.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Mass scanning activity detected from 220.127.116.11 (NL) checking for VMware vSphere hosts vulnerable to remote code execution (CVE-2021-21985).— Bad Packets (@bad_packets) June 3, 2021
Vendor advisory: https://t.co/D0aWkbQMPT#threatintel
The flaws tracked, CVE-2021-21985 and CVE-2021-21986, allow a remote attacker to access vCenter installs exposed online, irrespective of whether the customer uses vSAN, and perform actions allowed by the affected plug-ins without authentication. (see: VMware Urges Rapid Patching for Serious vCenter Server Bug).
"In line with VMware's commitment to responsible disclosure, we issued a public security advisory with a fix and workaround for this security issue, to help our customers stay safe. Additional information may be found in this blog post and FAQ,” the company tells Information Security Media Group in a statement.
Meanwhile, Bad Packets continues to publish details on exploit activity targeted at VMware vCenter.
CVE-2021-21985 exploit activity detected from multiple hosts (CN DE HK SG) targeting our VMware vCenter honeypot.— Bad Packets (@bad_packets) June 7, 2021
Query our API for "tags=CVE-2021-21985" for relevant indicators (payloads) and source IP addresses. #threatintel https://t.co/3Sz7SVH7kY
Organizations should have a good grasp on their vCenter estate, as it is a prominent piece of asset inventory, says Andy Norton, European cyber risk officer at IoT security solutions provider Armis.
“At the time of writing, the NHS had not yet released a high severity cyber alert. However, we can expect them to follow the same path as they did back in February with a previous vCenter vulnerability disclosure. The value of an up-to-date and accurate asset inventory becomes clear when emergency activity like this is required," he says. (see: 6,000 VMware vCenter Devices Vulnerable to Remote Attacks).
“It is of critical importance that anybody with VMWare based infrastructure apply the patch immediately to avoid being compromised. Unfortunately, many organizations would have already been compromised and not even know it, so this patch might very well be an example of closing the stable door once the horse has bolted,” Matthew Gribben, cybersecurity expert and former GCHQ cybersecurity consultant, says.
Impact of Remote Work on Cybersecurity Risks
The COVID-19 pandemic has increased cybersecurity risks for companies, and sophisticated cyberattacks and material breaches have surged.
In fact, the one industry that has not been disrupted by COVID-19 is cybercrime, Rick McElroy, principal cybersecurity strategist in the VMware security business unit, says in a Global Security Insights Report released last week.
On tackling the surge in attacks, McElroy tells ISMG that organizations should assume that they have been breached and that cybercriminals already have a foothold in their systems.
“The frequency of attacks is high, sophistication continues to evolve, and breaches are the inevitable result. Three quarters (76%) of the 3,542 respondents to our survey said the number of attacks they faced has increased in the past year. Of those, 78% said attacks had increased as a result of more employees working from home, (while) 79% said attacks had become more sophisticated,” he says in the report, which includes responses from CIOs, CTOs and CISOs across 14 countries.
The number of breaches has risen, with every attacked company reporting an average of 2.35 breaches per year. Even as 56% of surveyed CISOs anticipate material breaches in their organizations in the coming year, only 41% have updated their security policy and approach to mitigate the risk.
According to the recent Carbon Black report, cybersecurity incidents, particularly ransomware attacks, have intensified in terms of outcomes, ransom demands and long-term effects on businesses, Andrea Babbs, U.K. general manager at cybersecurity solutions provider VIPRE, says.
“The overnight change of working from home has had a significant impact on employee working practices. With no peer review or easy access to conversational questions to quickly ask: “Does this email look strange to you?” employees are at an increased risk of falling foul of phishing scams,” she tells ISMG.
“Seventy-nine percent [of respondents] said attacks had become more sophisticated, which we have continued to witness. A new way of attacking that we’ve seen an increase in in the IT industry is the use of fileless attacks, which exploit tools and features that are already available in the victim’s environment. These can be used in combination with social engineering deploys, such as phishing emails, without having to rely on file-based payloads,” she adds.
The dramatic shift in the way cyberattacks, particularly ransomware attacks, have been run and managed in the past year could also be a factor, Gribben tells ISMG. Criminal gangs, he says, have essentially “professionalized” the process.
“They've found what works and refined it into a formula that delivers results in terms of successfully extracting ransoms from their victims. We've even seen this evolve into what is now becoming known as RaaS [ransomware as a service], with gangs even offering affiliate schemes and profit sharing - the kind of marketing activities we would normally associate with legitimate digital businesses,” he says.
And since these tactics are working, there’s likely to be an increase in cyberthreat activities, he says.
Criminal activity will continue to increase until adversaries see diminishing returns on their investments, Parham Eftekhari, senior vice president and executive director of the Institute for Critical Infrastructure Technologies, tells ISMG.
“Unfortunately, we live in a world where technology has been developed without security baked into the engineering and design life cycle. The result is smart cities, critical infrastructures, and IoT devices riddled with vulnerabilities that can be exploited through numerous attack vectors from brute force to phishing,” he says.