VMware vulnerability with 9.8 severity rating is under attack
The vulnerability, tracked as CVE-2021-21985, resides in the vCenter Server, a tool for managing virtualization in large data centers. At least one reliable exploit has gone public, and there have been successful attempts in the wild to compromise servers that run the vulnerable software. Researchers say the exploit works reliably and that little additional work is needed to use the code for malicious purposes, stating that is able to gain remote code execution with a single mouse click. Admins responsible for vCenter machines that have yet to patch CVE-2021-21985 should install the update immediately if possible. ArsTechnica expects today, Monday, to see attack volumes hit their peak.
GitHub updates policy to remove exploit code when used in active attacks
Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the Microsoft-owned company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network (CDN). To that end, users are now refrained from uploading, posting, hosting, or transmitting any content that could be used to deliver malicious executables or abuse GitHub as an attack infrastructure, by, for example, organizing denial-of-service (DoS) attacks or managing command-and-control (C2) servers. In scenarios where there is an active, widespread abuse of dual-use content, the company said it might restrict access to such content by putting it behind authentication barriers, and as a “last resort,” disable access or remove it altogether when other restriction measures are not feasible. GitHub also noted that it would contact relevant project owners about the controls put in place where possible.
Colonial Pipeline breached via single compromised password
An analysis of the cyberattack on Colonial Pipeline found that the hackers were able to access the company’s network using a compromised VPN password. According to cybersecurity firm Mandiant, the forensic division of FireEye, as well as with Colonial CEO and Joseph Blount, the VPN account didn’t use multi-factor authentication, which allowed the hackers to access Colonial’s network with a compromised username and password. It’s not clear whether the hackers discovered the username or were able to figure it out independently. The password was discovered among a batch of passwords leaked on the dark web.
Ransomware backup provider Exagrid pays $2.6m to ransomware attackers
The ransom was paid in bitcoin on May 13. Accession to the ransomware attacker’s demands was made more embarrassing when the backup appliance supplier – which makes a big play of its strengths against ransomware – accidentally deleted the decryption tool and had to ask for it again. The ransomware group, Conti, who had lurked inside the Exagrid network for over a month, revealed they had over 800 gigabytes of personal data of clients and employees, commercial contracts, NDA forms, financial data, tax returns and source code. The initial ransom demanded was $7,480,000 but was negotiated down to $2.6 million.
Thanks to our episode sponsor, Trend Micro
FBI charges Miami woman with writing code for Trickbot ransomware gang
The U.S. Department of Justice has arrested a 55-year-old Miami woman, Alla Witte, aka “Max,” a Latvian national, accusing her of working as a malware developer for the Trickbot Group, writing code related to the control, deployment, and payments of ransomware. If convicted, Witte faces a maximum penalty of 30 years in prison for conspiracy to commit wire and bank fraud plus 30 years in prison for each substantive bank fraud count; a two-year mandatory sentence for each aggravated identity theft count, and 20 years in prison for conspiracy to commit money laundering. The indictment alleges that since November 2015, she and others stole money and confidential information from unsuspecting victims, in many countries, by using the Trickbot malware.
Singaporean C-suite leaders believe remote working led to increased cyberattacks
According to a research report from VMware, over 82% of Singaporean cybersecurity professionals said remote working increased cyberattacks, with 68% of successful breaches serious enough to require reporting to regulators. Singapore witnessed the highest average of breaches per year with increased attack sophistication hitting health care, manufacturing and financial services hardest, with 60% of the Singaporean CISOs surveyed fear their organization will experience a material breach in the coming year. The respondents stated that due to the new normal or work from home, many organizations have been struggling to process and monitor critical data, making them vulnerable to unauthorized intrusions.
FBI subpoenas info on readers of news story on slain agents
The subpoenas demanded that U.S. newspaper giant Gannett provide agents with information to track down readers of a USA Today story about a suspect in a child pornography case who fatally shot two FBI agents in February. The subpoena asks for information about anyone who clicked on the article for a period of about 35 minutes on the day after the shooting. It seeks the IP addresses — which can sometimes be used to identify the location of a computer, the company or organization it belongs to, and where it was registered — along with mobile phone identification information of the readers.