At the end of November, VMware announced a 0-day vulnerability CVE-2020-4006 in its products, which…
Both of the above vulnerabilities are related to the SLP protocol, which is used by devices on the same network to discover each other. In essence, bugs allow hackers on the same network to send malicious SLP requests to an ESXi device and take control of it.
For example, RansomExx operators gained access to a device on the corporate network and then used it to further attacks on local ESXi instances and encrypt virtual hard disks used to store data from different virtual machines. Attacks like these can cause a true chaos in a company, as ESXi virtual disks are typically used to centralize data from many other systems.
Information about such incidents has appeared more than once on Reddit, Twitter, and the attacks were mentioned by experts at information security conferences.
“Ransomware group using them to bypass all Windows OS security, by shutting down VMs and encrypting the VMDK’s directly on hypervisor. They’re pre-auth RCE bugs you can exploit from other appliances (eg VPN firewalls at border). A better way to do it would be to mount NTFS volumes in VMDK files of AD servers and modify GPO to distribute wares, but I don’t think attackers near that ability”, — for example, told the information security specialist Kevin Beaumont.
It is reported that at least one group, RansomExx (aka Defray777), uses such a trick, but last month the authors of the Babuk Locker ransomware also mentioned similar functions in their malware, although no confirmed attacks have yet been found.
System administrators using VMWare ESXi are advised to install patches, or disable SLP support to prevent attacks if the protocol is not used.
Let me remind you that we talked that VMware patches 0-day vulnerability discovered by NSA, as well as about the fact that OSR specialists released an unofficial patch for NTFS bug in Windows 10.
Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…
Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…
Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…
Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…
News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…
Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…