ISMG Editors: Ransomware Campaign Hits Outdated VMware HostsAlso: Third-Party Risk Management; Check Point Enters SD-WAN Market Anna Delaney (annamadeline) • February 17, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the ESXiArgs ransomware campaign that has snared 2,800 victims, the data breach reported in an SEC filing by a multistate hospital chain, and Check Point's building of SD-WAN capabilities that are integrated with the company's network security stack.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Michael Novinson, managing editor, ISMG Business - discuss:
- A massive ransomware campaign that is continuing to exploit unpatched VMware ESXi hypervisors to forcibly encrypt virtual machines and hold them to ransom;
- How a multistate hospital chain disclosed to federal regulators a cybersecurity incident involving secure file transfer software that compromised the data of about 1 million patients;
- Check Point's introduction, at last, of an SD-WAN offering that supports more than 1,000 applications and is tightly integrated into the company's network security stack.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 3 edition, which considers whether the U.S. takedown of ransomware group Hive marks its demise, and the Feb. 10 edition, which discusses how police nabbed the notorious Zeekill hacker.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is our weekly review and analysis of the trending cybersecurity news stories. Joining me today are the three Ms, the three musketeers: Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; we have Mathew Schwartz, executive editor of DataBreachToday and Europe; and Michael Novinson, managing editor for business. Very good to see you all.
Marianne McGee: Hi, Anna.
Michael Novinson: Thank you for having me.
Delaney: Matt, earlier this month, you wrote about a global ransomware campaign targeting VMware ESXi servers by exploiting a known two-year old software vulnerability. Tell us more.
Mathew Schwartz: It is a mouthful, isn't it? So yeah, we've got this small problem in the form of unpatched VMware ESXi servers running hypervisors. So they're hosting virtual machines. And one of the challenges with this story is the fact that the ransomware is being used by attackers to target unpatched machines. Has this mouthful name. It's being referred to as the ESXiargs - sounds like a pirate ransomware campaign, so args - the reason that's in the title is because systems that get messed with by attackers have got .args appended to the files. So this ransomware goes after the kinds of files it'll be running on hypervisors, pretty much virtual machines. And as of last week, we know that there were at least 2,800 victims that had been amassed. That's interesting how we know this, the attackers don't seem to be ultra-sophisticated. Not my words, I was talking to security experts, and they've been looking at the way that these attacks have gone down, and they're highly automated. And when these VMware servers are getting hit, in the first wave of attacks, what would happen is there'll be a ransomware note that would get dropped, and each of the ransomware notes had a unique cryptocurrency wallet address to which the victims were supposed to remit payment. So the good news is, only a very few number of victims have used these cryptocurrency wallets, researchers can see if there's any funds flowing into them. It also allowed them again to count how many had been hit, and to do some analysis using showdown and other Internet search engines to see where these victims appear to be located. The majority in France but a fair few also in the United States, Germany, Canada, U.K., Netherlands, Finland, and beyond. So, as so often happens when researchers publicize this sort of thing and say, Oh, look at these amateur attackers, the attackers have revised their attack code and done a couple of things. The first thing is they've gotten rid of the hard coded cryptocurrency wallet addresses the unique one in every different ransom note. Instead, they just tell the victim to contact them and they'll give them an address. So it's very difficult now to count victims. Another thing they seem to have done is the vulnerability they were targeting was two years old. It was a vulnerability in protocol that allows VMware systems to look for other VMware systems on the network. It's called Open SLP. And in the first wave of attacks, it seemed like the systems getting hit hadn't patched this open SLP flaw, which was patched back in February 2021. So in theory, everybody should have had this patch installed. Nearly two years later, longtime attackers, they hit all the systems that haven't done so. In the second wave of attacks, though, it seems like some of the systems that are getting hit did have open SLP either patched or not exposed to the internet. And if it's not exposed, supposedly, this is one way of mitigating the vulnerability from being exploited. So it's not clear what's happening with this second wave. Some experts think that there's a different flaw in VMware that's getting hit by these attackers, again, in these highly automated attacks. So all this is bad news. The Cybersecurity Infrastructure and Security Agency in the United States has come out and told federal agencies that need to do what CISA says that it needs to have this updated pronto. They've set an early March deadline, but they want them to ensure they've got mitigation in place to block these attacks from happening until they can get a patch in place. Why haven't all these systems just been patched? That's a question I've been asking experts. And one of the challenges apparently with hypervisors is they're easy to deploy. But they're more difficult to patch, because you need to take everything on that hypervisor and swap it over to a different system. And they can be very big. Patch that first system and then copy it all back. And one of the things I've been hearing is, it'd be nice if VMware made this easier to do, because as you can see, you have a lot of unpatched systems still running around. So we do seem to have fewer systems that are internet exposed since this flaw started getting hit, which is great news. But we still do have systems that are internet exposed, the admin panel is internet exposed, which is what needs to be addressed. The other thing to note briefly is, when a hypervisor gets hit, on average, it'll have five to 10 virtual machines running on it. But there could be many more if it's a service provider, for example. So even though we're talking about maybe 120-800 organizations getting hit, it's not clear by extension, how many different companies or businesses may have been impacted. We're not sure if their data has been exfiltrated. And these attacks as well. So there's a lot that we don't know, but short and sweet: If you've got a VMware ESXi hypervisor and an unpatched one, you need to get on that right away.
Delaney: And it just the question hypervisors, and is this a new threat to hypervisors?
Schwartz: There's a risk with hypervisors, because they will run multiple virtual machines. And if you are getting that through a service provider, you may be only one of the clients. So if an attacker can get on to that hypervisor, and somehow get root, then they can access everything running on that system. This is a problem with any kind of hosted service. But certainly when you have managed hosting like this, if that's what you're doing, you want to make sure that your service provider has got some guarantees in place, in case this sort of thing happens. If your data gets breached, as a result, you're still going to look bad, but at least if you've got contracts in place, possibly you can transfer some of the cleanup costs or liability onto your hosting provider.
Delaney: Well, thanks for that, Matt. That was very clear insight. Moving on. Marianne, both you and Matt reported on the GoAnywhere MFT hack this week. So Marianne, the question is, how did the data of about one million patients end up being compromised?
McGee: Well, what we know and this is all based on a community health systems which reported the breach not to HHS and not to any of the state regulators yet but to the U.S. Securities and Exchange Commission that it was recently notified by Fortra which is the vendor that sells GoAnywhere MFT secure file transfer software, that CHS was informed by Fortra that Fortra had had a security incident and the filing by CHS to the SEC doesn't go into details of exactly what happened. But as Matt also wrote about Fortra recently was the subject of a security alert about a pre-authentication remote code execution vulnerability in the GoAnywhere MFT product. And there's been reports of the zero day vulnerability being exploited by various attackers, including the ransomware group Clop, which claims to have stolen data from about 130 organizations. So, so far, there's no confirmation that CHS was among those 130 organizations that were victimized by Clop. But it does seem like the timing kind of fits when, again, CHS won't say Fortra doesn't return requests for a comment on the issue. But in the bigger picture, this is like the latest incident where a major health data breach is being reported to regulators, involving vendors. Many of the large, and some of the largest health data breaches that were reported last year involve vendors, whether it was like electronic health record vendors or other sorts of technology vendors. Some of these incidents involved ransomware, some of them involved misconfigurations that maybe lead to something else. But the bottom line is this latest incident with CHS reporting that one million patients were impacted by this Fortra incident is a reminder of not only vendor risk issues, but also in the case of other organizations that are using the GoAnywhere product that they need to apply this patch that Fortra has issued as soon as possible. So I'm sort of keeping my eyes on what happens with the CHS breach, what other details might get revealed once the organization reports it to the Department of Health and Human Services, and there's always fallout after these things come out in the open, how much details do we get, we'll see, but we'll also see if there's other healthcare organizations or other organizations in other sectors that matter that wind up reporting breaches related to this GoAnywhere incident. And, Matt, I don't know if you've been hearing anything more about other organizations that have come out saying that we've had breaches related to this, but I'll be interested in seeing what happens next.
Schwartz: I haven't seen any reports before the one that you put out that suggests, like you said, they haven't stated for certain that this is how they were breached. But I suspect that there are a lot of organizations looking into whether or not this was used against them. That's one of the recommendations that's been made is to go in and look at your log files. There's a GoAnywhere.log file that you can look out for signs of suspicious activity, which can include I feel medical side effects alert. But if there's unexpected admin accounts, unexpected users, new accounts created at weird times of the day like three in the morning, when nobody should be at work. That's the sort of advice that users are getting, which isn't ideal. The company is telling them to look back to I think, around January 25, is when they think that the signs of this ... where they think the attack first began. Some organizations might not have those log files still, hopefully they do. And so they're looking for signs of suspicious activity. The typical investigation cycle we see can stretch for four to four to six weeks, maybe sometimes eight weeks before you see companies come back after they've commissioned incident responders to say what was found and all that. So I suspect there are a lot of organizations at the beginning of this, where "oh, no, we were hit, bringing outside help to figure out how we were hit" cycle. And we're going to be hearing a lot more about this the next month or so.
McGee: Yeah. And then, again, CHS didn't provide a lot of details to the SEC, but they did say that when they learned about the incident from Fortra, they investigated to see if any of their systems were impacted or disrupted. And so far, they haven't found that's the case. But when they said disrupted, they should think maybe there was some sort of ransomware attempt or something involved. But again, I don't want to speak for the company. We'll see what happens.
Delaney: And Matt, just going back to the Clop group for a second, is this attack characteristic of their tactics and correct me if I'm wrong, but were they not behind the Accellion attacks of 2020?
Schwartz: I believe if they were behind Accellion, that's a great point to bring up. Because this wouldn't be the first time that a ransomware group has gained access to systems using some kind of vulnerability. And back in 2020, apparently, that was a vulnerability that this ransomware group had either paid somebody to find, or if somebody found it and brought it to them. And they were able to use it to good effect to, as you mentioned, also hit users of a widely used product that was used for storing files. And they stole that data. They didn't encrypt those systems, they stole the data and held it to ransom, and did apparently get some ransom payments off of it. So we don't have proof or all solid proof that it is Cop. Clop has claimed that it was them. There's also one incident report that's been put out by a company called Huntress, which said it investigated a breach and found Clop-like activity on a server that was designated for GoAnywhere managed file transfer activity. So they didn't recover the smoking gun, if you will. But there is a lot of coincidental stuff happening around this. It does look like Clop, it does look like we've been here before with Clop as well as you mentioned.
Delaney: Well as ever, it's a story to be continued. But for now, thank you, both of you, for updating us. Michael, you've written this week about Checkpoint's decision to enter the SD-Wan market. Tell us more.
Delaney: Michael, why do you think it took so long for Checkpoint to enter the space?
Novinson: It's a good question. Strategically they are an interesting company, and that they kind of fall somewhere between Cisco and Palo Alto Networks, or rather Fortinet and Palo Alto Networks, and I'll call them out since they're the pure play security companies; all three of them started off as firewall companies. And then they had to decide how they wanted to evolve their business. So you have on one extreme, you have Palo Alto Networks, which under the cache are over the past four years has made a ton of acquisitions and said, essentially, they realized that network firewalls, the traditional network perimeter wasn't necessarily the fastest growing area, and they wanted to expand their platform. So they bought aggressively into cloud security. They about aggressively to security operations, they bought some in the endpoint security market. And they wanted firewall to be a piece in a broader security platform so that they could sell this consolidation story. And as part of that they did by CloudGenix. So they can combine the firewall and the SD-Wan. And when Palo Alto Networks moves into a space, they're very clear that they want to be ... they don't feel they can be top two, or top three in a market, that they don't move in. Fortinet's very different, that they've stayed much narrower. They have used their own chip for 20 years now. And they realized that that would give them a compute advantage if they were to move in SD-Wan. And so they made that move, in 2016-2017 timeframe. It surprised a lot of people because at that point, SD-Wan was thought of as networking technology that it was going to be the Ciscos, potentially the VMwares the world that we're going to dominate and the idea of a security company during SD-Wan, was a little foreign. But I mean Fortinet's after number two in the market share right now, so clearly their division there. And they've moved off into OT security and critical infrastructure. But they've tried to stick to the on-premises world. They've made it clear, they're not looking to move into cloud, they're not looking to be all things to all people. Checkpoint's kind of somewhere between the two. So they've done some acquisitions, they bought some cloud things, not as much as Palo. They bought into email security, they launched an MDR platform. They now are doing SD-Wan. So they've kind of dabbled in a lot of different areas, but not in kind of the way that like Palo Alto Networks went all in and spent tons of money to buy market leader. So they kind of have dabbled in a lot of different markets. So yeah, I think in terms of SD-Wan things were expensive, the market was good. There were a lot of companies being scooped up for acquisitions, maybe they missed the window to acquire kind of some of the top SD-Wan companies. And when they looked around, they didn't feel like what was there was up to par. So it's a late entry. But I mean, they just last year announced they were going to enter the managed detection and response space. And I mean, you certainly can say, starting MDR in 2022 is pretty late too. So it's an interesting strategy, and it will be interesting to see how much traction they can gain, given how crowded SD-Wan market already is.
Delaney: Yeah, well, let's see how they fare with this move. Thank you very much, Michael.
Novinson: You're very welcome.
Delaney: And finally, just a bit of fun. Your next Hollywood blockbuster award winning movie is all about - wait for it - cybersecurity. What would you call it?
Novinson: I'll go first. I'll take inspiration from Roland Emmerich, thinking of the mid-2000s, maybe "The Day After Tomorrow." I go for The One After SolarWinds. That was a seismic event in the industry. We all assumed code was secure by default that we didn't have to worry about things in the production environments. That was the pre-SolarWinds thinking, and the day after SolarWinds, it's a whole new world. And we see people having to think about things from a security perspective that, at least to a layman, they weren't ever considering before.
Delaney: I like that. That's very good.
Schwartz: Wow, that's got some thought behind it and nuanced. Well, it's so different from what I came up with, which is just Cyber Wars. I mean, I grew up with Star Wars and so any ability to emulate that, I mean, Cyber Wars, right? It can be overdone and something schlocky that has absolutely no bearing to reality. Or you can also use it for something a bit more nuanced. You know your news magazine, deep dive sort of thing looking at the rise of nation-state attacks and what not. I've watched both personally, so I'll just leave it at that. And we'll see what comes out.
Delaney: It works for the ISMG Editors' Panel, that's for sure.
McGee: Mine's very similar to what Matt just said. I was going to say War Games II, sort of building on the 1983 movie with Matthew Broderick, who is just like a young child, hacking into military systems or something like that.
McGee: NORAD, right. Lot of possibilities there, I think, that are kind of scary.
Delaney: Yeah, we definitely do a part two, also maybe a remake.
Schwartz: Matthew Broderick, yeah, he's older maybe no wiser. I don't know.
Delaney: I was thinking Denial of Service.
Schwartz: Oh, that's horrible.
Delaney: That definitely embodies the drama of an Oscar. First I thought Wizard of Oz. You get that mystery behind the curtain.
Schwartz: And the sequel, Anna, Blue Screen of Death.
Delaney: Oh, there you go. Wow! Like all this creativity. Thank you very much, Marianne, Matt, Michael, always a pleasure. Thank you so much for watching. Until next time.