Hackers Attack Thousands of Computers Within Days of Ion Attack
(Bloomberg). More than 2,100 computers were infected with ransomware over the weekend. The ransomware exploited a vulnerability that existed in the server software of VMware Inc. for two years, according to security researchers and authorities.
Bloomberg Most Read
The infected machines represent a fraction of the more than 66,000 internet-connected computers that could be potential targets, said Patrice Auffret, founder and chief executive officer of Onyphe SAS, a French cybersecurity firm that scanned the internet for fingerprints of the attackers’ code in the wild. Cybersecurity agencies across France, Canada, Italy and Canada published advisory statements revealing the attacks, and urging affected organizations to patch it.
“What is interesting here is the speed at which they attacked the machines,” Auffret wrote in an email.
On Friday, hackers began infecting vulnerable computers. They compromised more than 2,000 computers in 24 hours, Auffret stated. It is not clear which victims were affected by the hacking.
“The time was chosen wisely — system administrators and security teams are nearly out for the weekend,” he said. “The attackers probably wanted to finish their dirty job during the weekend for a maximum impact.”
These breaches are the latest example of hackers exploiting old vulnerabilities in widely-used software. In this case, they used VMware’s ESXi “hypervisor” code for servers in order to extort organizations that failed to apply the necessary fixes long ago. In 2021, the company released a fix to the problem.
According to security experts, hackers look at public information from the moment a software company announces a fix to a security vulnerability in a product to see if they are vulnerable. It’s a race that has been ongoing for decades, as hackers aim to jump through holes in corporate technology at the same time that security personnel scrambles to fix the issues. Microsoft Corp.’s so-called Patch Tuesday, a monthly roundup of the flaws in its enterprise technology, often is the spark for the race to fix such flaws.
“The vulnerability being targeted is two years old and should have been patched by now, but evidently many servers are still not protected,” Stefano Zanero, professor of cybersecurity at Italy’s Politecnico di Milano, said in an interview.
In a sign of the limited impact of the weekend breaches, just one of the 426 cryptocurrency wallets associated with the breaches showed a balance — of about $11,700, according to Alexander Leslie, an analyst at the threat intelligence company Recorded Future Inc.
“So far, the scale of disruption and destruction likely outweighs any financial gain for the threat actor,” Leslie wrote on Twitter.
A spokesperson for the US Cybersecurity and Infrastructure Security Agency, known as CISA, said, “CISA is working with public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed.”
Experts say it’s unclear if the ransomware attack against ION Trading UK, which disrupted derivatives trading globally last week, is behind this latest campaign. LockBit, a well-known extortion group, was responsible for the breach. It is estimated that LockBit has been operating since January 2020 and has conducted breaches on as many as 1,000 victims worldwide, extorting at least $100 million from these organizations.
LockBit, the gang behind last week’s attack on ION Trading UK that upended derivatives trading, said it received a ransom and unlocked those files. The company described that attack as “involving VMWare servers,” but it’s not known if the incident was related to the campaign targeting the two-year-old flaw. ION declined comment to say whether a ransom was paid.
With assistance from Tommaso Ebhardt, Ian Fisher, Ryan Gallagher, and Andrew Martin.
(Updates with more details are available throughout.
Bloomberg Businessweek: Most Read
©2023 Bloomberg L.P.