VMWare exploit being used in the wild

A couple of weeks ago, we informed you about new critical VMware vulnerabilities) and warned you to patch your systems ASAP. A proof-of-concept (PoC) RCE exploit targeting CVE-2021-21985 has recently been published and we have observed threat actors actively scanning for vulnerable VMware vCenter servers.

This is a critical vulnerability that will allow an unauthenticated user to take complete control of your network if you depend on VMWare. Ransomware gangs have used previous VMware RCE exploits and it’s safe to assume it’s only a matter of time before they take advantage of this new vulnerability as well.

If you can’t patch for whatever reason, VMware has posted workarounds for CVE-2021-21985, CVE-2021-21972, and CVE-2021-21986, which are all vulnerabilities related to VMware plugins. The workarounds involved editing “compatibility-matrix.xml” and adding the following lines to disable the relevant plugin:

VMware vRops Client Plugin

<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

VMware vSAN H5 Client Plugin

<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>

Site Recovery

<PluginPackage id="com.vmware.vrUi" status="incompatible"/>

VMware vSphere Life-cycle Manager

<PluginPackage id="com.vmware.vum.client" status="incompatible"/>

VMware Cloud Director Availability

<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>

Additional workarounds are listed at https://kb.vmware.com/s/article/83829.

Patch Tuesday

This past Tuesday was Patch Tuesday for June 2021, and Microsoft released patches for 50 flaws. Six of these were patches for zero-day exploits already observed being used in the wild. The six actively exploited zero-day vulnerabilities are:

  • CVE-2021-31955 - Windows Kernel Information Disclosure Vulnerability
  • CVE-2021-31956 - Windows NTFS Elevation of Privilege Vulnerability
  • CVE-2021-33739 - Microsoft DWM Core Library Elevation of Privilege Vulnerability
  • CVE-2021-33742 - Windows MSHTML Platform Remote Code Execution Vulnerability
  • CVE-2021-31199 - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
  • CVE-2021-31201 - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability

Additionally, there was a Critical RCE vulnerability for Microsoft SharePoint, CVE-2021-31963, a Critical RCE vulnerability for Windows Defender, CVE-2021-31985, another Critical RCE vulnerability for Windows MSHTML Platform, CVE-2021-33742, Check out the full list of the 50 vulnerabilities patched this week at https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2021-patch-tuesday-fixes-6-exploited-zero-days-50-flaws/.

Colonial bitcoin recovered

We talked a few weeks ago about how the Colonial Pipeline ransomware attack has changed the ransomware threat ecosystem. This week we learned that the Department of Justice was able to recover 63.7 BTC of the 75 BTC paid by Colonial. This appears to be the full ransom after the Dark Side Ransomware-as-a-Service gang paid the affiliate who actually perpetrated the hack. According to officials, Colonial contacted the FBI shortly after they were compromised, and the FBI was able to trace payment through multiple transactions. The thing about Bitcoin is that every transaction is logged and publicly available in the blockchain. Services exist that attempt to scramble bitcoin to make it more difficult to track, but the good guys have tools on their side as well. It is actually very difficult to hide transactions involving millions of dollars in bitcoin.

Details regarding how the BTC was recovered remain, but the general consensus is that the transactions were tracked and the system hosting the wallet where the crypto landed was hosted in the US, allowing the Feds to seize the hardware it was hosted on.

Bryson Medlock, the Dungeon Master