New ransomware technique - why encrypt when you can wipe?

New critical VMware vulnerability

If you use VMware vCenter Server, patch it NOW. VMware released patches this week to remediate two vulnerabilities (CVE-2021-21985, CVE-2021-21986) that affect VMware vCenter Server and VMware Cloud Foundation. CVE-2021-21985 specifically has a CVSS score of 9.8 and is considered a critical vulnerability. This is the second vCenter vulnerability this year with a score of 9.8. When CVE-2021-21972 was first made public knowledge, six proof-of-concept exploits were released from different sources within a week.

According to VMware’s advisory regarding CVE-2021-21985, “The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.” In other words, if you have a vCenter Server accessible via the Internet on port 443 (and according to Shodan there are nearly 6,000 around the globe) then a malicious actor could gain complete control over your vCenter Server, and as a result, also gain complete control over all of the virtual machines hosted on it. This is a critical issue, and it should be patched now.

The second vulnerability listed in the same advisory, CVE-2021-21986, is a less severe vulnerability with a CVSS score of 6.5 related to the authentication mechanism in vCenter Server plug-ins. You should still patch for it.

New ransomware technique – why encrypt when you can wipe?

A new threat actor identified by SentinelOne this week as “Agrius” has been attributed to launching multiple attacks against Israeli organizations. The group seems to favor targeting public-facing web applications, primarily CVE-2018-13379, a vulnerability from 2018 that has long been patched but continues to be ignored by organizations around the world. According to SentinelOne, while the Agrius group is focusing on Israeli targets, they seem to be focused on opportunistic attacks rather than targeting specific organizations.

One of the main goals of Agrius appears to be stealing data and their activities have been linked to suspected espionage activity. Once they’ve gained initial access, Agrius uploads a web shell and uses it for lateral movement. They seem to favor variates of the ASPXSpy web shell. Next, they use “IPsec Helper,” a .NET backdoor, and use it to steal data and deploy additional malware.

After getting all the data, Agrius moves on to their disruption phase. They load malware that appears to encrypt all the files on the system and leave a ransom note. They have been observed using two malware families, Deadwood and Apostle. However, though these appear to be normal ransomware infections at first glance, both are actually wipers. They destroy the data rather than encrypting it so there is no restoring the data except through backups. Destroying data so it is unrecoverable is usually a bad move for financially motivated groups. Victims won’t pay if there’s no chance of recovering their data; however, Agrius seems to be more politically than financially motivated and are believed to be part of an Iranian state-sponsored strategy to destroy data of rival nations under the guise of ransomware.

A detailed write-up of Agrius and their activities is available from SentinelOne at: https://assets.sentinelone.com/sentinellabs/evol-agrius.

MacOS Zero-Day

How many times have you heard a Mac fan tell you they don’t need antivirus because they use a Mac? Well, those times are behind us. 2021 has been a busy year for Mac malware. Earlier in the year, there was a report of over 40,000 Macs infected with Silver Sparrow. This week, in court, under oath, Apple’s head of software, Craig Federighi, admitted, “Today, we have a level of malware on the Mac that we don’t find acceptable.”

On Tuesday, Apple released a patch for macOS to patch CVE-2021-30713. This is a local vulnerability that allows the attacker to bypass the Transparency Consent and Control (TCC) framework.

Have you ever been on a Zoom meeting on a Mac, and you try to share your screen, but you can’t because you first have to go to “Security & Privacy” settings and give “Screen Recording” access to the Zoom app? This is thanks to the TCC framework. It allows a user to have granular control over what apps can do, such as take screenshots, access the full disk, and so on.

CVE-2021-30713 allows an attacker to bypass this, and it has already been observed in use by malware known as XCSSET, making this another Mac 0-day.

XCSSET has been around since last summer when it was first observed by TrendMicro using two different Mac 0-days. The latest iteration of this malware has been using CVE-2021-30713 to bypass TCC for the purpose of snagging screenshots.

A full breakdown of this 0-day can be found at https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/.