Abyss Locker ransomware targets VMware ESXi with Linux variant

SISA Weekly Threat Watch - 07 August 2023

Over the past week, threat actors have demonstrated their relentless pursuit of compromising systems and data through ingenious methods. The landscape witnessed critical OpenSSH vulnerabilities enabling remote code execution, targeted attacks on VMware ESXi servers, exploitation of Redis servers with undocumented breach methods, and abuse of AWS SSM Agent as a remote access trojan. The ever-evolving threat landscape underscores the urgency for organizations to fortify their security measures and stay vigilant against cyber intrusions.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CVE-2023-38408: Critical OpenSSH vulnerability allows RCE on Linux systems

Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. A remote attacker may be able to execute any commands they choose through the forwarded ssh-agent of vulnerable OpenSSH.

OpenSSH is a popular connectivity tool for remote login with the SSH protocol that is used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks. The victim system must have specific libraries present for the exploitation to succeed, and the SSH authentication agent must be sent to an attacker-controlled machine. A background programme called SSH agent enables remote logins to a server without requiring users to input their password again by keeping their keys in memory. It is strongly advised that users of OpenSSH update to the most recent version to safeguard against potential cyber threats.

2. Abyss Locker ransomware targets VMware ESXi servers

VMware ESXi is one of the most widely used virtual machine platforms. Hence, practically all ransomware groups have started to publish Linux encryptors to encrypt all virtual servers on a device. The Abyss Locker’s operators recently expanded their possible targets by creating a Linux variation that targets VMware ESXi systems. Security researchers initially identified a Linux ELF encryptor (said to be based on Hello Kitty ransomware) for the Abyss ransomware, which was intended to attack VMware ESXi systems.

The analysis of the encryptor code revealed that use of the ‘esxcli’ command-line VMware ESXi management tool enumerates virtual machines and terminates them. The malicious malware can encrypt virtual discs (.vmdk), metadata (.vmsd), and snapshots (.vmsn) after the VM has been stopped. For every file, a file with the .README_TO_RESTORE extension is created, which is the ransom note with the negotiating instructions. It is recommended to keep ESXi servers, hypervisors, and associated software up to date with latest security patches, implement multi-factor authentication (MFA), limit access and privileges, and train employees on security best practices to protect critical assets from exploitation.

3. P2PInfect worm exploits Redis servers with undocumented breach methods

P2PInfect, a malware discovered by security researchers, exploits a severe vulnerability known as CVE-2022-0543, which affects Debian systems and allows remote code execution with a critical severity score of 10 out of 10.  Once it compromises a vulnerable Redis instance, P2PInfect downloads new OS-specific scripts and malicious binaries, adding the infected server to its list of targets. The malware forms a peer-to-peer network, enabling other compromised Redis servers to access its malicious payloads.

The primary payload of P2PInfect is an ELF binary that combines C and Rust components. When executed, this binary modifies the SSH configuration of the host, resetting the OpenSSH server configuration to a nearly default state. This allows the attacker to connect via SSH using password authentication. The attacker then restarts the SSH service and adds an SSH key to the list of authorized keys for the current user, ensuring persistent access. Once P2PInfect gains access to a host, it conducts a thorough analysis of the bash history to extract available IPs, users, and SSH keys, which it then excludes from its search. To safeguard your organization from such attacks, it is recommended to ensure that all SSH and Redis instances are promptly updated, securely configured, and regularly monitored for any suspicious or unauthorized activities.

4. AWS SSM Agent gets abused as a remote access trojan (RAT)

A novel post-exploitation method in Amazon Web Services (AWS) has been uncovered by security researchers that enables the AWS Systems Manager Agent (SSM Agent) to be used as a remote access trojan on Windows and Linux platforms. An attacker who has high privilege access to an endpoint with the SSM agent installed may repurpose the SSM agent to engage in persistently harmful operations. The use of an SSM Agent as a trojan has several advantages including the fact that endpoint security solutions trust it and that it avoids the need to deploy additional malware that could be detected.

To make matters worse, a threat actor may remotely monitor the exploited SSM Agent using their own malicious AWS account as a command-and-control (C2) server. Another approach uses a Linux namespace to create another SSM agent process communicating with an attacker’s AWS account whereas the existing SSM agent is continuing to communicate with its original accounts. It is advisable to remove the SSM binaries from the allow list in AV or EDR solutions to enable them to thoroughly examine and analyze the behavior of these processes.

5. njRAT malware exploiting trojanized TeamViewer installers

The njRAT sample is a highly sophisticated and deceptive malware that adopts multiple distribution methods, making it challenging to detect and prevent. It employs various disguises, including phishing campaigns, cracked software on file-sharing websites, drive-by downloads, and trojanized applications. In this case, it masquerades as a 32-bit Smart Installer for TeamViewer, dropping both the njRAT malware and a genuine TeamViewer application in the Windows folder.

To remain inconspicuous, njRAT implements a mutex, preventing multiple threads from simultaneously writing to shared memory, reducing the risk of reinfection. It also modifies the “SEE_MASK_NOZONECHECKS” environment variable in the Windows registry to bypass security warnings, enabling it to operate undetected and unimpeded by user prompts. It gathers data via keylogging and transmits it to a preconfigured Command and Control (C&C) server, allowing the attackers to access and exploit the compromised system remotely. The njRAT’s ability to mimic legitimate applications and evade security measures poses significant threats to users and organizations, highlighting the need for robust cybersecurity measures and vigilant user awareness to counter such advanced malware attacks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider