Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

CISA and FBI Release ESXiArgs Ransomware Recovery Guidance

Original release date: February 8, 2023

Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. The ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines unusable.

As detailed in the advisory, CISA has created and released an ESXiArgs recovery script at https://github.com/cisagov/ESXiArgs-Recover. CISA and FBI encourage organizations that have fallen victim to ESXiArgs ransomware to consider using the script to attempt to recover their files.

Additionally, CISA and FBI encourage all organizations to review the advisory and incorporate the recommendations for protecting against ESXiArgs ransomware.

CISA Releases ESXiArgs Ransomware Recovery Script

Original release date: February 7, 2023

CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.

CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.

Organizations can access the recovery script here: https://github.com/cisagov/ESXiArgs-Recover

Zoom Spots Alternatives: Find the Best Video Conferencing Tool

Here’s an interesting article from Drew Moffit at Kumospace on a new virtual co-working feature from Zoom called Spots

OpenSSL Releases Security Advisory

Original release date: February 9, 2023

OpenSSL has released a security advisory to address multiple vulnerabilities affecting OpenSSL versions 3.0.0, 2.2.2, and 1.0.2. An attacker could exploit some of these vulnerabilities to obtain sensitive information.

CISA encourages users and administrators to review the OpenSSL advisory and make the necessary updates.

Malicious Google Ads Target AWS Logins

From a high level, the workflow of the malvertising campaign followed a unique pattern, providing yet another example of the evolving malvertising campaigns ongoing through Google search results. In the case of AWS credentials targeting discussed here, we perform a normal Google search for “AWS”, which returns the malicious ad among the results.

The ad itself goes to a hop domain, which is an actor-controlled blogger website. This first hop then redirects to the actual credentials phishing page hosted on a second domain. After the victim submits their credentials, a final redirect sends the victim to the legitimate AWS login page. The redirect represents an effort to evade detection by cautious users, but more importantly to evade automated detection of the phishing websites and malicious ad monitors. The various hops and content included in the webpages of each domain add to the complexity of automated detection in such attacks.

#StopRansomware – Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities

Original release date: February 9, 2023

CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

  • Train users to recognize and report phishing attempts.
  • Enable and enforce phishing-resistant multifactor authentication.
  • Install and regularly update antivirus and antimalware software on all hosts.

See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

Money laundering-as-a-service on the rise

Money laundering-as-a-service, where cybercriminal groups recruit cryptocurrency money mules through fake websites and job ads, will be made easier by automation, writes Derek Manky, vice president of global threat intelligence at FortiGuard Labs. To combat MLaaS, Manky proposes improved digital literacy, automated defense, and more public-private collaboration and sharing of threat intelligence.

Open-source repository malware sows Havoc

Aabquerys is a malicious npm package discovered typosquatting on a legitimate module that downloads malicious components

As part of the ReversingLabs research team’s ongoing surveillance of open source repositories, we have identified aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package.   (NPM – npm stands for Node Package Manager. It’s a library and registry for JavaScript software packages. npm also has command-line tools to help you install the different packages and manage their dependencies. npm is free and relied on by over 11 million developers worldwide.)

Since discovering the aabquerys package, npm has removed it from their repository along with other, malicious packages. We do not believe it poses any risk to development organizations at this point. However, the discovery of aabquerys and evidence of other malicious projects by the maintainer responsible for the package underscore the growing risk of malicious packages lurking in open source repositories like npm, PyPi and GitHub. This risk demands greater attention by development organizations to the telltale signs of malicious or suspicious behavior within their open source supply chain.

Here is the ReversingLabs threat research team’s findings — as well as guidance on how organizations can respond to the risk posed by malicious open source packages.





About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.