Cyber security news September 2022

This posting is here to collect cyber security news in September 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Hackers Possibly From China Using New Method to Deploy Persistent ESXi Backdoors

    Hackers possibly from China have been using a new technique to install persistent backdoors in VMware ESXi hypervisors, giving them significant capabilities while making detection more difficult.

    The new technique, spotted by Mandiant in April, involves using malicious vSphere Installation Bundles (VIBs). A VIB is a collection of files packaged into a single archive to facilitate distribution — they are similar to a tarball or ZIP archive.

    VIB packages can be used to create startup tasks, custom firewall rules, or to deploy custom binaries when an ESXi machine is rebooted. Administrators typically use these packages to maintain systems and deploy updates, but it appears that malicious actors have found a way to abuse them.

    The attackers observed by Mandiant have used malicious VIBs to install two backdoors on ESXi hypervisors. These pieces of malware, named VirtualPita and VirtualPie by Mandiant, allow arbitrary command execution, file transfers, and the ability to initiate reverse shells.

    According to Mandiant, this new ‘malware ecosystem’ affects VMware ESXi, Linux vCenter servers, and Windows virtual machines (VMs). The Windows malware is tracked as VirtualGate.

  2. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Microsoft says the Lazarus group is weaponizing open-source software like PuTTY, KiTTY, TightVNC, and Sumatra PDF Reader to compromise “numerous” organizations — PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording all targeted.

  3. Tomi Engdahl says:

    Andy Greenberg / Wired:
    VMware and Google’s Mandiant say a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks — For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.

    Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying

    For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.

    For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.

    Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

    “The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

    Mandiant discovered the hackers earlier this year and brought their techniques to VMware’s attention. Researchers say they’ve seen the group carry out their virtualization hacking—a technique historically dubbed hyperjacking in a reference to “hypervisor hijacking”—in fewer than 10 victims’ networks across North America and Asia.

  4. Tomi Engdahl says:

    Nate Raymond / Reuters:
    Former eBay executives Jim Baugh and David Harville are sentenced to 57 and 24 months in prison for their roles in a 2019 cyberstalking campaign against critics

    Ex-eBay execs heading to prison for harassing couple behind newsletter

    Two former eBay Inc (EBAY.O) security executives were sentenced to prison on Thursday for carrying out a campaign to harass and intimidate a Massachusetts couple through threats and disturbing home deliveries after their online newsletter drew the ire of the company’s then-CEO.

    Jim Baugh and David Harville were sentenced to 57 and 24 months in prison, respectively, for their roles in an extensive harassment campaign that involved sending the couple cockroaches, a funeral wreath and a bloody Halloween pig mask.

    Prosecutors said senior executives deemed the newsletter critical of eBay, and in August 2019 then-Chief Executive Officer Devin Wenig texted another executive that it was time to “take her down,” referring to Ina Steiner.

    They said other eBay employees involved included Harville, who Baugh recruited with a contractor for an “op” to surveil the Steiners and try unsuccessfully to install a GPS on their car.

  5. Tomi Engdahl says:
    According to researchers at GTSC, there’s an unpatched 0-day being used in-the-wild to exploit fully patched Microsoft Exchange servers. When they found one compromised server, they made the report to Microsoft through ZDI, but upon finding multiple Exchange servers compromised, they’re sounding the alarm for everyone. It looks like it’s an attack similar to ProxyShell, in that it uses the auto-discover endpoint as a starting point. They suspect it’s a Chinese group that’s using the exploit, based on some of the indicators found in the webshell that gets installed.

    Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server

  6. Tomi Engdahl says:

    Optus takes out full-page newspaper advertisements to apologise over data breach

    Optus has apologised to people affected by last week’s cyber attack, admitting that it needs to communicate better with people caught up in the data breach.

    The telecommunications company took out full-page advertisements in major newspapers around the country to say how “deeply sorry” it was.

    “We’ve heard your message that we need to communicate more clearly,” the ad says.

    “That’s why we’ve now put together easily accessible materials for you to stay informed on the actions you can take.”

  7. Tomi Engdahl says:

    Serious vulnerabilities in Matrix’s end-to-end encryption have been patched
    Previously overlooked flaws allow malicious homeservers to decrypt and spoof messages.


Leave a Comment

Your email address will not be published. Required fields are marked *