Feb 5, 2023
Hackers Target Thousands of Computers; Italy Calls Meeting
(Bloomberg) -- More than 2,100 computers around the world were infected over the weekend with ransomware that exploited a two-year-old vulnerability in server software made by VMware Inc., according to cybersecurity researchers and authorities.
The infected machines represent a fraction of the more than 66,000 internet-connected computers that could be potential targets, said Patrice Auffret, founder and chief executive officer of Onyphe SAS, a French cybersecurity firm that scanned the internet for fingerprints of the attackers’ code in the wild. Cybersecurity agencies in France, Italy, Canada and other countries published advisories disclosing the attacks and urged organizations using the vulnerable software to fix it.
“What is interesting here is the speed at which they attacked the machines,” Auffret wrote in an email.
Hackers started infecting vulnerable computers on Friday, compromising more than 2,000 machines within 24 hours, Auffret said. Exactly which victims were breached in the effort remains unclear.
“The time was chosen wisely — system administrators and security teams are nearly out for the weekend,” he said. “The attackers probably wanted to finish their dirty job during the weekend for a maximum impact.”
The breaches were the latest example of hackers leveraging old vulnerabilities in widely used software. In this case, they used VMware’s ESXi “hypervisor” code for servers in order to extort organizations that failed to apply the necessary fixes long ago. The company issued a fix for the software issue in 2021.
From the moment a software company publishes a fix for a security vulnerablity in one of its products, hackers study the public information to determine whether attacks are possible, according to security experts. It’s a race that has been ongoing for decades, as hackers aim to jump through holes in corporate technology at the same time that security personnel scrambles to fix the issues. Microsoft Corp.’s so-called Patch Tuesday, a monthly roundup of the flaws in its enterprise technology, often is the spark for the race to fix such flaws.
“The vulnerability being targeted is two years old and should have been patched by now, but evidently many servers are still not protected,” Stefano Zanero, professor of cybersecurity at Italy’s Politecnico di Milano, said in an interview.
In a sign of the limited impact of the weekend breaches, just one of the 426 cryptocurrency wallets associated with the breaches showed a balance — of about $11,700, according to Alexander Leslie, an analyst at the threat intelligence company Recorded Future Inc.
“So far, the scale of disruption and destruction likely outweighs any financial gain for the threat actor,” Leslie wrote on Twitter.
A spokesperson for the US Cybersecurity and Infrastructure Security Agency, known as CISA, said, “CISA is working with public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed.”
It remains unclear if the latest campaign is related to a ransomware attack last week against ION Trading UK that disrupted derivatives trading globally, security experts said. That breach was conducted by a notorious extortion group called LockBit, which the US Department of Justice estimates has been active since January 2020, conducting breaches at as many as 1,000 victims globally and extorting as least $100 million from those organizations.
LockBit, the gang behind last week’s attack on ION Trading UK that upended derivatives trading, said it received a ransom and unlocked those files. The company described that attack as “involving VMWare servers,” but it’s not known if the incident was related to the campaign targeting the two-year-old flaw. ION has declined to comment on whether a ransom was paid.
--With assistance from Andrew Martin, Ian Fisher, Ryan Gallagher and Tommaso Ebhardt.
(Updates with additional details throughout.)
©2023 Bloomberg L.P.