Posted on

VmWare ESXi Hyper-V Servers Targeted By Ransomware Threat

Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact, say Eric Loui – Sergei Frankoff, Crowdstrike.

Targeted large-scale ransomware campaigns, referred to as big game hunting (BGH), remained the primary eCrime threat to organizations across all sectors in 2020. The relentless volume and pace of these campaigns mean that some sophisticated BGH actors have not attracted much attention. Two such groups are SPRITE SPIDER, the operators of the Defray777 ransomware (aka Defray, Defray 2018, Target777, RansomX, RansomEXX), and CARBON SPIDER, a group formerly focused on compromising point-of-sale (POS) devices, and that was responsible for introducing the Darkside ransomware.

While ransomware for Linux has existed for many years, BGH actors have not historically targeted Linux, much less the ESXi hypervisor specifically. This likely reflects the overwhelming dominance of the Windows operating system in businesses and large organizations. However, in the second half of 2020, SPRITE SPIDER and CARBON SPIDER began deploying Linux versions of Defray777 and Darkside, respectively, designed specifically to affect ESXi.

Affected victims include organizations that have used virtualization to host many of their corporate systems on a few ESXi servers, creating a virtual jackpot for the ransomware. By deploying ransomware on these ESXi hosts, adversaries were able to quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand. This is a new BGH tactic CrowdStrike refers to as Hypervisor Jackpotting.

What Is ESXi?

ESXi is a Type-1 hypervisor (aka a “bare-metal” hypervisor) developed by VMware. A hypervisor is software that runs and manages virtual machines (VMs). In contrast to Type-2 hypervisors that run on a conventional host operating system, a Type-1 hypervisor runs directly on a dedicated host’s hardware. ESXi systems are commonly managed by vCenter, a centralized server administration tool that can control multiple ESXi devices. While ESXi is not a Linux operating system, it is possible to run some Linux-compiled ELF binaries within the ESXi command shell.

According to multiple estimates, VMware holds an overwhelming majority of the worldwide virtual machine market share, well ahead of its nearest competitor. This means that threat actors seeking to encrypt virtual infrastructure may prioritize developing malware that can affect VMware environments.

SPRITE SPIDER and Defray777 Ransomware

SPRITE SPIDER is an eCrime actor that conducts low-volume BGH ransomware campaigns using the Defray777 ransomware. Other tools used by SPRITE SPIDER include the Vatet loader and the PyXie remote access tool (RAT). The adversary has established initial access by exploiting vulnerable Citrix Application Delivery Controllers, as well as by using LUNAR SPIDER’s BokBot trojan. To avoid detection, SPRITE SPIDER often stages payloads on internal servers within a victim network and uses in-memory-only deployments of its later-stage tooling. SPRITE SPIDER uses both PyXie and Cobalt Strike to move laterally within a victim environment after obtaining initial access.  

Like other BGH actors, SPRITE SPIDER first attempts to compromise domain controllers (DCs). After acquiring DC access, SPRITE SPIDER collects and exfiltratrates sensitive victim data, then deploys its Defray777 ransomware. In November 2020, SPRITE SPIDER launched a dedicated leak site (DLS) on a Tor hidden service domain to publish files from noncompliant ransomware victims.

Leaking stolen data in an effort to pressure victims into paying is part of a broader trend across the BGH ecosystem. Compared to other BGH actors, SPRITE SPIDER was relatively late to adopt this tactic, possibly due to a desire to avoid attention. 

In July 2020, SPRITE SPIDER began using a Linux version of its Defray777 ransomware. The Linux version contains the same file scanning and encryption logic as its Windows counterpart, and is designed to receive a command-line argument with a path to the directory where it will begin its recursive encryption process. Files are encrypted using AES in ECB mode with a 256-bit key that is uniquely generated for each file. The key is then encrypted using an embedded 4096-bit RSA public key and appended to the encrypted file. Each victim is targeted with a unique build of Defray777 containing a unique RSA public key. If a victim pays the ransom, they receive a decryption tool containing an RSA private key that corresponds to the public encryption key.

ESXi Access

In order to compromise ESXi devices, SPRITE SPIDER attempts to harvest credentials that can be used to authenticate to the vCenter web interface. SPRITE SPIDER uses PyXie’s LaZagne module to recover vCenter credentials stored in web browsers, and also runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables SSH to permit persistent access to ESXi devices. In some cases, the adversary will also change the root account password or the host’s SSH keys.

ESXi Encryption

While SPRITE SPIDER uses an in-memory deployment technique for the Windows variant of  Defray777, on ESXi, the adversary typically writes the Linux version of Defray777 to /tmp/, using a filename attempting to masquerade as a legitimate tool (e.g., svc-new). SPRITE SPIDER enumerates system information and processes on the ESXi host using the unamedf, and esxcli vm process list commands. 

Before executing Defray777, SPRITE SPIDER terminates running VMs in order to allow the ransomware to encrypt files associated with the VMs. SPRITE SPIDER may also uninstall VMware Fault Domain Manager (FDM) using a bash script named VMware-fdm-uninstall.sh. FDM is a tool that monitors VMs and reboots them when a VM fails. 

CARBON SPIDER and Darkside Ransomware

Since 2016, CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. CARBON SPIDER has used a variety of backdoors and RATs to enable persistent access. The adversary’s signature persistent access tools include the Sekur (aka Anunak) implant, which has been used since 2016, and the Harpy (aka Griffon) backdoor, which has been used from 2018 through 2020. CARBON SPIDER extensively uses Cobalt Strike for lateral movement, as well as open-source post-exploitation tools like PowerSploit.

In April 2020, the adversary abruptly shifted its operational model away from narrow campaigns focused entirely on companies operating POS devices, to broad, opportunistic operations attempting to infect large numbers of victims across almost all sectors. The goal of these campaigns was to deliver the REvil ransomware, which CARBON SPIDER obtained from ransomware-as-a-service (RaaS) vendor PINCHY SPIDER. It is likely CARBON SPIDER pivoted to BGH in response to the COVID-19 pandemic, which dramatically reduced in-person retail sales and hospitality business. Similar to SPRITE SPIDER, CARBON SPIDER typically seeks to compromise a DC first before exfiltrating data and deploying ransomware.

CARBON SPIDER deepened its commitment to BGH through 2020 by introducing its own ransomware, Darkside. In August 2020, the adversary began deploying Darkside, likely in order to avoid sharing profits from BGH campaigns with PINCHY SPIDER, the REvil vendor. In November 2020, the adversary took another step into the world of BGH by establishing a RaaS affiliate program for Darkside, allowing other actors to use the ransomware while paying CARBON SPIDER a cut. Similar to SPRITE SPIDER and others, CARBON SPIDER operates a DLS for Darkside, which has been active since August 2020. 

In August 2020, CARBON SPIDER also began using a Linux variant of Darkside configured specifically to affect ESXi hosts. The ESXi version of Darkside targets files relating to VMware virtual machines, including files with the following file extensions: vmdkvswpvmemvmsnnvramvmsdvmssvmxvmxflog. Files are encrypted using the ChaCha20 algorithm with a 32-byte key and 8-byte nonce, uniquely generated per file. The ChaCha20 key and nonce are then encrypted using a 4096-bit RSA public key that is embedded in the ransomware. To speed up the encryption process, Darkside also has a configurable encryption size that can be used to control how much of each file is encrypted. In samples recovered by CrowdStrike Intelligence, the encryption size was set to 50MB, which is enough data to prevent the recovery of the virtual machine files. An example of the Darkside configuration, as written to its log file, is shown in Figure 1. redacted code

Figure 1. Darkside configuration from log file

ESXi Access

Similar to SPRITE SPIDER, CARBON SPIDER has gained access to ESXi servers using valid credentials. The adversary has typically accessed these systems via the vCenter web interface, using legitimate credentials, but has also logged in over SSH using the Plink utility to drop Darkside.

ESXi Encryption

CARBON SPIDER writes Darkside to /tmp/ on ESXi hosts with a generic filename. The adversary typically does not do the same amount of host reconnaissance that SPRITE SPIDER does. CARBON SPIDER has used built-in VMware Tools scripts to shut down guest VMs in order to make sure these VMs are encrypted by Darkside.

Conclusion

By deploying ransomware on ESXi, SPRITE SPIDER and CARBON SPIDER likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone. Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.

MITRE ATT&CK® TTP Comparison

The following table provides an overview of SPRITE SPIDER and CARBON SPIDER’s tactics, techniques and procedures (TTPs) specific to ESXi ransomware attacks.

attacks.

TacticTechniqueSPRITE SPIDERCARBON SPIDERSummary
Initial AccessT1078 – Valid AccountsYYBoth SPRITE SPIDER and CARBON SPIDER authenticate to vCenter using valid credentials
ExecutionT1059.004 – Command and Scripting Interpreter: Unix ShellYYThe adversaries use the ESXi command shell to transfer and execute the ransomware
PersistenceT1078 – Valid AccountsYYPreviously compromised credentials enable persistent access
PersistenceT-1098.004 – SSH Authorized KeysYSPRITE SPIDER has changed root SSH keys for ESXi hosts
Defense EvasionT1222.002 – File and Directory Permissions Modification: Linux and Mac File and Directory Permissions ModificationYYBoth adversaries mark their respective ransomware binaries as executable using chmod
Defense EvasionT1036.005 – Masquerading: Match Legitimate Name or LocationYYDefray777 and Darkside use filenames that appear to be innocuous or legitimate
Defense EvasionT1070.004 – Indicator Removal on Host: File DeletionYSPRITE SPIDER may delete the Defray777 binary after execution
DiscoveryT1082 – System Information DiscoveryYSPRITE SPIDER performs basic reconnaissance (e.g., unamedf)
DiscoveryT1057 – Process DiscoveryYSPRITE SPIDER performs basic reconnaissance (e.g., esxcli vm process list)
ImpactT1489 – Service StopYYBoth adversaries may attempt to terminate running VMs
ImpactT1486 – Data Encrypted for ImpactYYDefray777 and Darkside encrypt victim systems

Indicators of Compromise

Example SHA256 hashes of Darkside and Defray777 Linux variants:

DescriptionSHA256 hash
Darkside Linux Binaryda3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5
Defray777 Linux Binarycb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849
Posted on

Beware the latest Phishing domains on Chrome Web Store by domain registrar GalComm Israel

The latest batch of rogue apps from the Chrome Web Store have all been traced back to a single, increasingly questionable domain registrar company in Israel that goes by the name GalComm. Over 1000 malicious domains found.

Read the full report by Chromeunboxed

What to do to stay safe?

Please contact your IT support administrator for guidance before installing new Chrome web apps. For help from the professionals, contact us on our website chat or online contact form. We’re always happy to help you!

Posted on

Ransomware Can Kill Trust

Ransomware can kill the Trust small and medium businesses need from Customers

It’s already been a record-breaking year for ransomware attacks, in trend with ransomware attack numbers of 2020 to quote Adam Levin, inc. Barely a week goes by without reports of a new strain or variant of malware wreaking havoc among companies.

1-99-employee companies are a target

No industry, category, size, or group is safe from this cyber scourge. 

We hear about the big ones. Manufacturing giant Honda had its networks brought to a standstill by just such an attack. Millions of inboxes have been hit with a variant of Avaddon ransomware. High-profile entertainment law firm Grubman Shire Meiselas & Sacks suffered a one-two punch of infection via REvil ransomware followed by a dark web auction of the firm’s client documents.

Small companies get hit all the time, but when they go out of business as a result it’s not news. It doesn’t matter how big your company is. In fact, what may matter more is how easy you are to hack. 

A compounded threat for businesses

While there’s no shortage of examples of ransomware attacks, a recent study by data protection firm Veritas suggests an even bigger problem that few, if any, companies are prepared for: Customers are increasingly laying the blame on companies, specifically their CEOs, rather than on the hackers perpetrating the attacks.

The statistics are sobering. Twelve thousand respondents in the U.S., U.K., Germany, Japan, France, and China thought companies were to blame, with 40 percent saying CEOs should be doing a better job. In the same survey, 35 percent thought CEOs should be fined for a cyber failure, and 30 percent wanted to see a CEO lose his or her right to run any company following a serious cyber event. Another 23 percent thought the CEO should face a prison sentence.

Some of the survey’s findings suggest there’s some cognitive dissonance. For instance, 71 percent of respondents said companies shouldn’t pay ransoms to hackers, but 55 percent wanted businesses to pay a ransom if their own personal data was at risk. The numbers point to a nascent blame game, which in turn points to the need for companies large and small to make sure they have cyber insurance–often the only thing between your company and an extinction-level cyber event.

What can CEOs do?

With 44 percent in the Veritas survey claiming that they would stop using a business’s services following a ransomware-related breach regardless of how the company responded–it matters how you handle cyber. 

With customers pointing the finger at business leadership, CEOs face a new layer to what was already an extinction-level threat. If the combined costs of paying a ransom and the resulting breach-related expenses aren’t enough to ruin a company, customers and clients are increasingly poised to drive the final nail in the coffin.

Preventing data breaches and implementing adequate cybersecurity safeguards was a daunting assignment even before the Covid-19 pandemic. A 2019 study showed that 80 percent of IT business leaders expected a critical breach or a successful cyberattack within a year, double what a similar study had indicated in 2015.

The inevitability of a successful cyberattack, ransomware-related or otherwise, cannot be mitigated by any CEO, but managing the aftermath can. 

Much has been made of the shortage of skilled cybersecurity workers, to say nothing of supply chain vulnerabilitiesunpatched or outdated software, or employee malfeasance. But the answer for management here lies in being prepared. 

While corporate security fails are complex, a good leader needs only to be prepared for the day the inevitable happens. More than half of security personnel surveyed in 2019 believed that CEOs ignored security plans, and 14 percent said that their CEOs hadn’t received any cybersecurity training. Another study showed that 40 percent of IT professionals specifically cited their company’s CEO as the weakest link in their company’s security. Only you know if this is true of your organization. And if it is, only you can take steps to get cyber right. 

There’s an oft-quoted saying that “culture eats strategy for breakfast,” and that’s very true when it comes to cyber. Know the risks, get help if you need it, get insured, and take it seriously.