Saturday, April 27, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Cyber ​​attack: alarms and reality

1 year ago babelfish

Cyber ​​attack: alarms and reality

On Sunday, the National Agency for National Cybersecurity (Acn) sounded the alarm: "Massive attack" by hackers using ransomware already in circulation that has targeted thousands of servers around the world. At the moment, however, there are 22 structures that are affected in Italy. Facts, numbers, comments and insights

There are currently 22 victims in Italy of the "massive" hacker attack warned by the National Cybersecurity Agency (ACN).

"Acn's Computer Security Incident Response Team Italia (Csirt-IT) has detected a massive ' hacker' attack using already circulating ransomware targeting VMware ESXi servers." The same Italian agency made it known on Sunday 5 in the afternoon, adding that the attack is underway all over the world and concerns "a few thousand servers compromised by European countries such as France – the most affected country – Finland and Italy, up to the North America, Canada and the United States”.

Agency experts have labeled the risk "high-orange." "But that it is a serious matter is confirmed by the summit convened by Palazzo Chigi to take stock of the damage caused and implement the appropriate countermeasures" Ansa wrote yesterday morning.

Yet again yesterday , Italian IT security experts downsized the scope of the attack. “Nothing new on the international scene” commented the expert Stefano Zanero, associate professor of computer security at the Milan Polytechnic.

As explained by the Csirt itself, VMware, the American manufacturer of the targeted computer system, had already identified and remedied the vulnerability in February 2021. However, not all those who use the currently affected systems have fixed it. Targeted servers, if not patched, i.e. the appropriate "fixes", can open the door to hackers busy exploiting it.

So just over twenty servers in Italy are vulnerable to the threat, however defined as "massive" by the Italian cyber agency.

"To understand: Chigi had to call a meeting with the top exponents of the secret services for about twenty cybercriminals dealing with outdated servers" comments Fatto Quotidiano today.

THE POSITION OF PALAZZO CHIGI

"Regarding the hacker attack that occurred on a global scale" – Palazzo Chigi announced yesterday following the summit with the Undersecretary with responsibility for Cybersecurity Alfredo Mantovano, the director of the ACN Roberto Baldoni and the director of Dis Elisabetta Belloni – " despite the seriousness of the incident, in Italy no institution or primary company operating in critical sectors for national security has been affected”.

Furthermore, "No evidence has emerged that indicates an aggression by a hostile state or state entity", continues the note from the Italian government.

"The cyber attack, which already emerged on the evening of 3 February and culminated yesterday in such a widespread way" reads the government's statement of 6 February, "had been identified by Acn as hypothetically possible since February 2021, and to this end the The Agency had alerted all sensitive subjects to adopt the necessary protective measures” continues the note from Palazzo Chigi.

THE ACN ALERT

As specified by the Agency directed by Roberto Baldoni, the vulnerability identified by recent analyzes as CVE-2021-21974 (already remedied, as mentioned, by the vendor VMWare in February 2021), concerns systems exposed on the Internet that offer virtualization services based on the VMWare ESXi product. According to the agency's experts, the flaw in question has a high impact, estimated by the technical community as "high risk/orange" (70.25/100).

AFTER THE ALERT FROM FRANCE

The first to notice the attack were the French. On February 3, 2023, the CERT-FR (aka the French Csirt) issued a bulletin warning of attack campaigns targeting VMware ESXi hypervisors with the aim of distributing ransomware on them.

“Applying patches alone is not enough. In fact, an attacker has probably already exploited the vulnerability and could have released malicious code. It is recommended that an analysis of the systems be carried out in order to detect any sign of compromise,” added the CERT-FR in its notice of the incident.

THE SCOPE OF THE ATTACK

"Some of the recipients of the notice took the warning into due consideration, others did not and unfortunately today they are paying the consequences" the government statement glosses.

The attack affected thousands of servers worldwide, according to data compiled by US-based cybersecurity firm Censys, with the most affected servers in France, followed by the United States and Germany. According to Ansa , there are currently 22 victims in Italy of the ransomware attack that exploited a vulnerability on VMware ESXi servers. These are entities or companies that are not of particular importance for national security, as explained yesterday by Palazzo Chigi.

“On the other hand, there are about 400 potential victims: these are structures, that is, which had not adopted the correction to the vulnerability indicated on February 23, 2021 by the software manufacturer, but which would not be 'infected'. However, analyzes are underway by the Postal Police and the National Cybersecurity Agency to ascertain the integrity of the systems and restore the security conditions” added Ansa today.

FOR THE EXPERTS: EXCESSIVE ALARM

Therefore excessive alarm according to the experts.

Yesterday to Agenzia Nova Gerardo Costabile, CEO of Deepcyber and president of the Italian digital forensics association (Iisfa) underlined the need to "resize the effective scope of the cyber attacks that are currently affecting not only our country but the whole world ”.

“Beyond the media echo – he explained -, these are raids aimed at requesting a ransom, in this case exploiting a ransomware that infects servers on the network, 42,000 euros are asked for two bitcoins. But the vulnerability, mind you, dates back to 2021, therefore, speaking in computer terms a geological era ago and it is a problem, among other things, already solved by the software manufacturer himself through the release of a special patch safety".

THE DIFFERENCE WITH WANNACRY, THE RANSOMWARE THAT KNOWN HALF THE WORLD

“Unlike the attack with the WannaCry ransomware – added Costabile – which in 2017 affected Microsoft systems, the ones we all use to some extent, in this case they are company virtualization systems, used for example by universities and small and medium enterprises. They are the ones who will have to improve the level of internal IT security”.

According to Costabile, however, "systems are always vulnerable, and in this case it seems to me that the fuss aroused is too much, precisely because it is an old vulnerability and also very simple to solve".

GOVERNMENT DECREE COMING SOON

Finally, the government announced the adoption of a Dpcm, following up on the provisions of Legislative Decree no. 82/2021, "to link the fundamental prevention work of the Regions with ACN" to raise the bar of cyber security of companies and institutions .

THE WISHES OF THE EXPERTS

But that may not be enough according to experts.

"I hope that the government will take targeted actions to improve computer security and sanction anyone who does not comply with the provisions and does not proceed with the integration of the patches released," Costabile hoped.

For the popularizer and cyber-security expert Corrado Giustozzi, however, "regulations such as those for kidnappings in the 70s would be needed, which forbid or make it difficult for those affected to pay the ransoms, in order not to feed the vicious circle".

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/attacco-informatico-gli-allarmi-e-la-realta/ on Tue, 07 Feb 2023 12:52:31 +0000.