Security News – Week 28

[vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space][vc_single_image image=”12452″ img_size=”medium” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

RedAlert: The New Ransomware Targeting VMware ESXi Servers

A new Ransomware called RedAlert (N13V) has been detected targeting VMware ESXi servers installed on both Windows and Linux systems in attacks on corporate networks.

The Linux encryptor is designed to focus on VMware ESXi servers and has command line parameters that allow threat actors to shut down running virtual machines before encrypting the file. The malware, which has been observed to use the NTRUEncrypt algorithm for encryption operations, only targets files associated with VMware ESXi servers, such as log files (.log), swap files (.vswp), virtual disks (.vmdk), and memory files (.vmem).

In the sample analyzed by security researchers, it was observed that the Ransomware software added the “.crypt658” extension to the filenames of encrypted files. A ransom note named HOW_TO_RESTORE, which is observed to be added to each folder by the ransomware, contains a description of the data compromised and a Tor link that directs victims to the ransom payment site. The payment page on the Tor network is similar to other Ransomware operation pages where a ransom demand is shown, and options are offered to negotiate with threat actors. RedAlert/N13V threat actors only accept Monero cryptocurrency for ransom payment.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”12208″ img_size=”full” alignment=”center”][vc_column_text]

A leak site called “Board of Shame” has been created by RedAlert threat actors to leak data of compromised institutions/organizations and to announce breaches. The last post shared by the threat actors on the leak site stated that a corporate firm providing cloud computing services was targeted. In the alleged breach, it was announced that more than 300 GB of data, including social security numbers, driver’s licenses, financial documents, payrolls, and bank statements of the company personnel, was seized.

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”12209″ img_size=”full” alignment=”center”][vc_column_text]

In order not to be the target of similar ransomware attacks that may be carried out in this context, it is recommended to take the following actions;

[/vc_column_text][/vc_column][/vc_row][vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space height=”15px”][vc_single_image image=”12341″ img_size=”full” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Marriott International Suffered from Security Breach Leading to 20GB of Data Hijacking

Hotel chain Marriott International has confirmed that it has suffered a new data breach that resulted in the hijacking of 20GB of internal data by threat actors. In this breach, threat actors compromised the BWI Airport Marriott Maryland (BWIA) network.

About a month ago, threat actors gaining unauthorized access to the BWI Airport Marriott network seized 20GB of data allegedly containing credit card, reservation, flight information, and internal confidential business documents belonging to Marriott customers. After the breach, threat actors informed many company employees about the breach. As a result, it is known that Marriott International officials refused the ransom payment demanded by the threat actors and launched a joint investigation with law enforcement officials for the unauthorized access, which was brought under control within about six hours. Images of some documents that are stated to have been seized by the threat actors in the breach are given below:

[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”12246″ img_size=”full” alignment=”center”][vc_single_image image=”12247″ img_size=”full” alignment=”center”][vc_column_text]

Although Marriott International, known to have been exposed to similar data breaches before, defines the seized data as non-sensitive internal business files, it has announced that approximately 400 people thought to be affected by the breach will be informed of the breach.

Therefore, in order not to be the target of similar security breaches that may be carried out in this context, it is recommended to consider the following practices and precautions:

  • The system/program or software being used should always be kept up to date,
  • Updates and fixes that eliminate vulnerabilities should be applied immediately,
  • Institution/organization personnel should be made aware of possible social engineering/phishing attacks,
  • Critical system/data should be backed up regularly,
  • Comprehensive security solutions should be used,
  • Passwords used in accounts should be created using strong policies,
  • MFA/2FA authentication features should be enabled on all possible platforms,
  • Attack surface analysis tests should be performed regularly in the institution/organization network.

In order not to be the target of similar ransomware attacks that may be carried out in this context, it is recommended to take the following actions;

[/vc_column_text][/vc_column][/vc_row][vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column width=”1/4″][vc_empty_space height=”15px”][vc_single_image image=”10911″ img_size=”full” alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

GitLab Releases Security Updates Fixing Critical Vulnerabilities

GitLab has released fixes and updates that fix critical vulnerabilities as part of the June security updates.

Some of the security vulnerabilities that have been fixed with the released updates and rated as critical, high, and medium are as follows;

  • Vulnerability tracked as CVE-2022-2185 (critical) exists due to incorrect input validation in Project Imports. As a result, a remote privileged user can import a maliciously crafted project, causing remote code execution on the vulnerable system.
  • The XSS vulnerability tracked as CVE-2022-2235 (high) is due to insufficient sanitization of user-supplied data in ZenTao integration. As a result, a remote threat actor can direct targets to open a specially crafted link and run arbitrary HTML and script code in the user’s browser in the context of the vulnerable website.
  • The security vulnerability tracked as CVE-2022-2229 (high) is caused by incorrect authorization. A remote threat actor can extract the value of an unprotected variable whose name it knows in public or private projects of which it is a member.

These vulnerabilities affected all GitLab CE/EE versions between 13.7.0 and 15.1.0 (inclusive) and were fixed in the released versions 15.1.1, 15.0.4, and 14.10.5. Users using vulnerable GitLab versions are advised to apply the released updates immediately.

[/vc_column_text][vc_empty_space][/vc_column][/vc_row]