One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 3791023 |
| Date de publication | 2021-11-19 10:21:31 (vue: 2021-12-13 21:05:26) |
| Titre | Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware |
| Texte | FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)". |
| Notes | |
| Envoyé | Oui |
| Condensat | 0002 2021 21972 21973 24th 82374 able access according account admins advantage adversary advisory affected affects after alert allows anti appendix application apply april arbitrary archive archives are attack attack:w32/keylogger attacker attackers available aware based because blocked but called carried cisa code collected collects command commands common completion compromised containing could coverage crafted credential cve cvss data database deploy deployed desktop details directory does downloaded due dumping encrypting encryption encrypts execute execution exfiltration exploit exploitation exploited exploiting extract february file files first five following fortiguard from further gained group hacking handling has hash have hid hriskware/minerriskware/impacketriskware/mimikatzriskware/secretdmp improper initial instead instructions instrumentation involve ips its labs late lead line link low machine machines management manager material may memento months more network new not october other out over pallasnet parameters password patch plugin possible prior process products:vcenter protected protection protocol provided provides put puts putting python ransom ransomware rar rdp reconnaissance released remote remotely report reported request sam samples score scoring second secretsdump security see server severity shell significant simply soon sophos specially spread spypossiblethreat ssh started status stay stayed staying successful successfully switched system tactic taken targeted than theft them then through tool tools traversal two u1cvcenter u3lvcenter u3n until uploading upon urge used using variant various vcenter vector vendor version victim vmsa vmware vrops vulnerability vulnerable what why windows winrar within wmi wmiexec workaround |
| Tags | Ransomware Tool Vulnerability Guideline |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.