Watch your typos

We’re back at it this week with updates on new VMware vulnerabilities, details on bad actors taking advantage of typos, and a quick look at LockBit.

Check it out.

Two RCE vulnerabilities patched by VMware

VMware released a bulletin on Tuesday, February 23, 2021, with one critical (CVSSv3 score of 9.8) and one important (CVSSv3 score of 8.8) vulnerability that both can lead to remote command execution (RCE) on your ESXi servers.

The first is a vulnerability in the HTML5 vSphere Client and assigned CVE-2021-21972. Check out our CVE Spotlight related to this vulnerability for more details and remediation recommendations.

There is at least one proof-of-concept (PoC) publicly available for CVE-2021-21972 which PerchLabs has used to create a signature that has been deployed across the Perch client base. At this time, we’ve seen one malicious IP in Germany add this CVE to their usual web vulnerability scanning.

The second vulnerability (CVE-2021-21974) is a heap-overflow vulnerability in OpenSLP used in ESXi. OpenSLP is an open-source implementation of the Service Location Protocol that provides a framework for the discovery of the existence, location, and configuration of networked services. According to a recent security configuration guide posted by VMware, they recommend disabling OpenSLP on ESXi as VMware products do not currently use this protocol.

So far, there aren’t any PoCs available for CVE-2021-21974 and we haven’t observed any related traffic.

We recommend reviewing the VMware bulletin for remediation guidelines and information on obtaining the latest patches. We also recommend restricting access to your VMware servers to only those users who need access using network segmentation and appropriate firewall ACLs to reduce your exposure.

Bad actors typosquatting banks

A new Sliver command and control (C2) server has been observed typosquatting several banks. Typosquatting, also known as URL hijacking, is a cybersquatting technique that relies on typos made by users for the target’s domain name. For example, a bad actor may target “” by registering “,” so a user who mistypes the domain will be directed to a server they control hosting malware. It’s also a common technique used in phishing campaigns as users are less likely to notice a minor typo in a domain and are more likely to click on malicious links.

Sliver is a general-purpose cross-platform adversary simulation platform similar to Cobalt Strike. It’s written in Golang and includes extensive support for encrypted C2 over DNS, HTTP, HTTPS, and Mutual TLS using per-binary X.509 certificates signed by a per-instance certificate authority. It supports dynamic code generation and target-specific compiled binaries as well as many other advanced evasion techniques.

PerchLabs has added information regarding this new Sliver server, as well as a Cobalt Strike server that seems to be operated by the same threat actor, to our watchlist and will continue to monitor for any new activity by this group.

As usual, we recommend vigilance before clicking any links and be extra careful with those typos.

LockBit still going strong

The ConnectWise Incident Response team has reported a significant number of incidents related to the LockBit ransomware in the first part of 2021. Many of these incidents are related to a 2018 FortiOS vulnerability previously discussed in our recent Perch Bulletin.

LockBit is one of several ransomware-as-a-service operations. LockBit stands out from others in its level of automation. It uses SMB, ARP tables, and PowerShell to self-spread across networks with infected hosts. As a result, you’ll see the ransomware completing its goals within hours of initial infection instead of the days or weeks other malware requires. Ryuk, for example, typically requires hands-on-keyboard activity with human actors manually performing reconnaissance and making decisions regarding tactics for a given target.

Like many ransomware operators, the LockBit group also steals data from their targets and operates a leak site where the data will be leaked if the ransom hasn’t been paid. For a time last year, they shared a leak site with the Maze Cartel, but launched their own data leaks site in September of 2020.

LockBit is one of many data leak sites the PerchLabs team is monitoring. We’re also working with the ConnectWise Incident Response team to collect intel from recent alerts and have added related C2 servers to our threat hunting watch lists.

That’s all for this week.

  • Bryson Medlock, the Dungeon Master