Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,195
- Points
- 113
Cobalt Strike and Pypykatz open the way to full control of the network.
A recently fixed vulnerability in the VMware ESXi hypervisors is actively used by several ransomware groups to gain elevated rights and deploy malicious software that encrypts files.
These attacks exploit the vulnerability CVE-2024-37085 (CVSS score: 6.8), which allows you to bypass authentication when integrating with Active Directory and gain administrative access to the host.
Broadcom-owned VMware, in a June advisory report, noted that an attacker with sufficient rights in Active Directory can gain full access to an ESXi host by using AD settings to manage users. You can do this by creating a new AD group called "ESX Admins" and adding a user to it, or by renaming any group in the domain to "ESX Admins".
Microsoft, in its analysis published on July 29, said that ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest are using this technique to deploy Akira and Black Basta. The researchers emphasized that ESXi hypervisors connected to an Active Directory domain by default grant full administrative rights to any member of the domain group named "ESX Admins". However, ESXi does not check whether such a group actually exists.
In one of the Storm-0506 attacks on an unnamed engineering firm in North America, attackers exploited a vulnerability to upgrade rights on ESXi hypervisors after initial access was obtained using QakBot and another vulnerability in the Windows CLFS driver ( CVE-2023-28252, CVSS score: 7.8).
The attackers then deployed Cobalt Strike and Pypykatz (the Python version of Mimikatz) to steal domain administrator credentials and then distribute them over the network. To maintain their presence, the hackers used a SystemBC implant and gained access to ESXi to deploy Black Basta.
Attempts to hack RDP connections for lateral movement and further deployment of Cobalt Strike and SystemBC were also recorded. Attackers tried to change the settings of Microsoft Defender Antivirus to avoid detection.
Google-owned Mandiant reported that the financially motivated UNC4393 group is using initial access through a C/C++ backdoor code-named ZLoader to deploy Black Basta, moving away from using QakBot and DarkGate.
Mandiant notes that UNC4393 demonstrates a willingness to collaborate with multiple distribution clusters to achieve its goals. The latest wave of ZLoader activity started earlier this year and is mainly distributed through malicious advertising, which is noticeably different from the previous method aimed at phishing.
The attacks use initial access to deploy the Cobalt Strike Beacon and other intelligence tools. RDP and SMB are used for lateral movement, and SystemBC is used for maintaining presence.
The ZLoader loader, which returned to the attackers ' arsenal last year, is being actively developed. The new variations are distributed through a backdoor on PowerShell called PowerDash.
In recent years, ransomware has been actively using new methods to maximize exposure and bypass detection, increasingly targeting ESXi hypervisors and exploiting new vulnerabilities in Internet-oriented servers.
For example, the Qilin ransomware, originally developed in Go, has now been rewritten in Rust to improve security. Recent Qilin attacks target weaknesses in Fortinet and Veeam Backup & Replication for initial access. Attackers use the Killer Ultra tool to disable EDR programs and clean up Windows event logs to hide traces of compromise.
Organizations are encouraged to install the latest software updates, maintain credential hygiene, apply two-factor authentication, and protect critical resources through appropriate monitoring procedures and recovery plans.
Source
A recently fixed vulnerability in the VMware ESXi hypervisors is actively used by several ransomware groups to gain elevated rights and deploy malicious software that encrypts files.
These attacks exploit the vulnerability CVE-2024-37085 (CVSS score: 6.8), which allows you to bypass authentication when integrating with Active Directory and gain administrative access to the host.
Broadcom-owned VMware, in a June advisory report, noted that an attacker with sufficient rights in Active Directory can gain full access to an ESXi host by using AD settings to manage users. You can do this by creating a new AD group called "ESX Admins" and adding a user to it, or by renaming any group in the domain to "ESX Admins".
Microsoft, in its analysis published on July 29, said that ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest are using this technique to deploy Akira and Black Basta. The researchers emphasized that ESXi hypervisors connected to an Active Directory domain by default grant full administrative rights to any member of the domain group named "ESX Admins". However, ESXi does not check whether such a group actually exists.
In one of the Storm-0506 attacks on an unnamed engineering firm in North America, attackers exploited a vulnerability to upgrade rights on ESXi hypervisors after initial access was obtained using QakBot and another vulnerability in the Windows CLFS driver ( CVE-2023-28252, CVSS score: 7.8).
The attackers then deployed Cobalt Strike and Pypykatz (the Python version of Mimikatz) to steal domain administrator credentials and then distribute them over the network. To maintain their presence, the hackers used a SystemBC implant and gained access to ESXi to deploy Black Basta.
Attempts to hack RDP connections for lateral movement and further deployment of Cobalt Strike and SystemBC were also recorded. Attackers tried to change the settings of Microsoft Defender Antivirus to avoid detection.
Google-owned Mandiant reported that the financially motivated UNC4393 group is using initial access through a C/C++ backdoor code-named ZLoader to deploy Black Basta, moving away from using QakBot and DarkGate.
Mandiant notes that UNC4393 demonstrates a willingness to collaborate with multiple distribution clusters to achieve its goals. The latest wave of ZLoader activity started earlier this year and is mainly distributed through malicious advertising, which is noticeably different from the previous method aimed at phishing.
The attacks use initial access to deploy the Cobalt Strike Beacon and other intelligence tools. RDP and SMB are used for lateral movement, and SystemBC is used for maintaining presence.
The ZLoader loader, which returned to the attackers ' arsenal last year, is being actively developed. The new variations are distributed through a backdoor on PowerShell called PowerDash.
In recent years, ransomware has been actively using new methods to maximize exposure and bypass detection, increasingly targeting ESXi hypervisors and exploiting new vulnerabilities in Internet-oriented servers.
For example, the Qilin ransomware, originally developed in Go, has now been rewritten in Rust to improve security. Recent Qilin attacks target weaknesses in Fortinet and Veeam Backup & Replication for initial access. Attackers use the Killer Ultra tool to disable EDR programs and clean up Windows event logs to hide traces of compromise.
Organizations are encouraged to install the latest software updates, maintain credential hygiene, apply two-factor authentication, and protect critical resources through appropriate monitoring procedures and recovery plans.
Source
