1 APR, 2022

The Cybersecurity Express – April 1st 2022

A crazy place to be in right now, the 2022 cyberspace, with so much cyber activity happening, it’s hard not to be anxious and excited at the same time. Although at times alarming, CyBourn’s Cybersecurity Express is here to help you visit these emerging threats from the comfort of you seat. But remember, if you are alive in these modern times then you are exposed (unless you are some sort of a virtual Bear Grills and chose to live a life off-grid), and you are swimming in open waters where the sharks are always lurking… So, get your scuba gear ready, because we are about to dive into the cybersecurity abyss: Russia’s War has an intensifying cyber-front and imminently will target the USA and its allied countries, the US intelligence community openly warns. Please make sure to secure your air tanks while we take a look on at the cyber-criminal group LAPSUS$ and their latest hacks. Keep your fins inside while the train is moving past critical information disclosure vulnerability found in VMware vCenter.

“Russian Cyber-attacks will Continue”

                It is a sad truth that Russian attacks against Ukraine are continuing, both physical and cybernetic, but the latter seems to be a gray area. Confined by the fact that the world is uniting to help Ukraine, and because of the sanctions, Russia is exploring options for cyber-attacks to weaken allied forces, so warns US intelligence. So far, due to their intangible and (partially) anonymous nature, cyber-attacks are yet to be considered “an act of war”, and can be used without many repercussions, but that really depends on the interpretation of the victim state. Russian state intelligence agencies and/ or related criminal gangs could be used to target US Government Departments and Agencies, hospitals, critical infrastructure, and utilities. President Biden and CISA first warned the private sector, which owns much of America’s critical infrastructure and hasn’t always heeded government warnings, to immediately harden its online defenses, warnings that we covered in a previous Cybersecurity Express. “The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming,” the President warned. “He hasn’t used it yet, but it’s part of his playbook,” Biden said of Putin. Cyber-attacks may be Putin’s only way to “punish” the west for the crippling sanctions and for the anti-tank and anti-aircraft weapons sent to Ukraine, all this are backed by the fact that Russia has a history in cyber-warfare.

                Although the president stated that the US will retaliate severely to any such attacks on US Government infrastructure and on US medical, utility and supply infrastructure – what can the private sector do to stay safe? The same good measures as always apply here and are the best and cheapest way to deter any Russian or other state coordinated attacks and that goes with any cyber-attacks in general: 

  • Get cybersecurity coverage from a security firm, like CyBourn. Any professional cybersecurity company would help drastically improve your security stance and will provide both proactive and reactive defenses. As well as help you mitigate or avoid unnecessary risk all together.
  • Always only use only the services that you need and keep them updated to the latest versions. A good rule of thumb is: “You don’t use it; you don’t need it!”. Keep all unused ports closed.
  • Use professional and reputable tools and programs. Do not use obscure programs that are not widely accepted just because they “do the job”.
  • Keep your staff well informed of the dangers related to working with the internet and the threats it poses. Have them attend anti-phishing trainings, as it is the number one way the actors get in. Use the principle of least privilege in user rights and permissions.
  • We cannot stress this one enough: Use strong password and two factor authentication!

Sensitive Information Disclosure in VMware vCenter

                Although not yet given a CVSS (at the time of writing), CVE-2022-22948 is a critical vulnerability due to the global scale usage, where it’s estimated that 80% of virtualized environments are running VMware technology. This vulnerability is part of a critical kill chain that leads to an ESXi takeover, complete with virtual machines, from just endpoint access to a host with a vCenter client. Researchers published these finding alongside the PoC (proof of concept), and it’s a lengthy process, involving multiple steps and multiple vulnerabilities. To summarize it, first they gain shell access to an instance of VMware vCenter by exploiting CVE-2021-21972, using the basic user rights to gain access to postgresDB, where they can query extensive information about ESXi and vCenter, and also the contents of the ‘vpx_host’ table which contains the details for a user called ‘vpxuser’ and its password phrase. The “vpxuser” user is created on the ESXi by default and it’s highly privileged so it can manage the vCenter without the use of root, as stated by its passwd description: “VMware VirtualCenter administration account”. With a little bit of digging around, you can find all the information needed to be able to decrypt the password. Well, almost all of the information because you need a privilege escalation technique to be able to read the “/etc/vmware-vpx/ssl/symkey.dat” information, but “luckily” there is an privilege escalation vulnerability for that as well.

                To keep safe from CVE-2022-22948, be sure to apply the patches on VMware’s Advisory site.  There is no known workaround, so make sure to crank up those updates.

The Cybercriminal Group LAPSUS$

                Of all the cyberattacks taking place lately and all the criminal groups involved, few stand out like Lapsus$. They are a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom is paid, with the bulk of the group’s victims (15 of them) have been in Latin America and Portugal. “Little is known of the origins of the group, however, given that Lapsus$’s initial activity was directed towards several organizations in Brazil, some researchers have speculated that the group is based in South America,” researchers say. They have risen to “fame” quicky after successfully breaching companies like Nvidia, Microsoft, Okta and Globant. Microsoft on Tuesday confirmed that the Lapsus$ extortion-focused hacking crew had gained “limited access” to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. Globant also confirmed a breach after Lapsus$ leaks 70GB of their data, and so did Nvidia and Okta. The companies have stated that the information exfiltrated is not of major importance and have contacted the victims to mitigate the outcome. It makes your skin crawl to think where they are already infiltrated by now, waiting to leak the data, and we don’t even know it.

                That’s it for this edition of CyBourn’s Cybersecurity Express. Hope you enjoyed the ride, and we await your return for the next journey. We know the subjects presented here can be scary, but it’s much better to be aware and educated, that we begin to prepare our defenses, that we are prepared to respond and fight back!


We Also Recommend to See:

The versatile platform that allows you to promptly detect complex threats, analyse and respond to them from a single pane of glass.
CyBourn's DreamLab pushes the boundaries of innovation in the cyberspace.

Tell us about your Cybersecurity needs

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.