Sunday, May 19, 2024

Vogon Today

Selected News from the Galaxy

StartMag

How and where the hacker attack was born, all the details

1 year ago babelfish

How and where the hacker attack was born, all the details

Hacher attack, what happened (not only in Italy). Facts and insights

A "massive attack using a ransomware already in circulation" has been detected by the Computer security incident response team Italy of the National Cybersecurity Agency. The ACN technicians have already surveyed "several decisions of probably compromised national systems and alerted numerous subjects whose systems are exposed but not yet compromised". At the moment there are a few thousand compromised servers all over the world, from European countries such as France – the most affected country – Finland and Italy, up to North America, Canada and the United States.

Here are all the details.

WHAT BALDONI'S AGENCY SAYS ABOUT THE HACKER ATTACK

“The Computer Security Incident Response Team Italy (Csirt-IT) of the National Cybersecurity Agency (ACN), has detected a massive “hacker” attack via already circulating ransomware targeting VMware ESXi servers”, a Californian company .

The same agency made it known, adding that the attack is underway all over the world and concerns "a few thousand compromised servers" "from European countries such as France – the most affected country – Finland and Italy, up to North America, Canada and in the United States".

In Italy – explains the ACN – there are dozens of realities that have encountered malicious activity against them but according to analysts they are destined to increase. Exploitation of the vulnerability allows in a subsequent phase to carry out ransomware attacks which, as is known, encrypt the affected systems making them unusable until a ransom is paid for the decryption key.

IN FRANCE THE AGGRESSION IS BORN

The vulnerability exploited by the attackers to distribute the ransomware has already been patched by the vendor in the past, but not everyone using the currently affected systems has patched it. The targeted servers, if not patched, i.e. the appropriate "fixes", can open the doors to hackers committed to exploiting it in these hours after the strong growth of attacks recorded over the weekend. The first to notice were the French, probably due to the large number of infections recorded on the systems of some providers in France.

Security researchers are reporting an explosion of VMware ESXi hypervisor compromises with more than 500 machines affected by ransomware this weekend, with attacks leveraging CVE-2021-21974.

THE FRENCH OVHCLOUD IN THE EYE OF THE CYCLONE

As published by The Stack , around 20 ESXi machines were being hit every hour , using data made available by Shodan which showed that the majority of these machines were hosted by OVHcloud. But the reach is expanding rapidly.

French customers initially appeared to be hardest hit, and the country's CERT-FR was among the first to issue an alert.

French company OVHcloud said on February 3: “A wave of attacks is currently targeting ESXi servers. However, no services managed by OVHcloud are affected by this attack, as many customers use this operating system on their servers, we provide this post as a reference to assist them in resolving them."

HACKER ATTACK, WHAT'S HAPPENING IN ITALY

Subsequently, the wave of attacks moved to other countries including Italy.

The national information security authority reiterates in the note "that it is a priority for anyone to close the holes identified and develop an adequate protection strategy". According to ACN technicians, in fact, “we have been able to make a census of several tens of probably compromised national systems and have alerted numerous subjects whose systems are exposed but not yet compromised. However, there are still some exposed, uncompromised systems that cannot be traced back to whoever owns them. These are called immediately to update their systems”.

The vulnerability identified by recent analyzes as CVE-2021-21974 (already remedied by the vendor in February 2021), concerns systems exposed on the internet that offer virtualization services based on the VMWare ESXi product, and has a high impact, estimated by the technical community as “high risk/orange” (70.25/100). And yet it is not excluded that other vulnerabilities can also be exploited by malicious actors.

In this regard, the National Cybersecurity Agency directed by Roberto Baldoni , through the CSIRT Italy, yesterday published a specific bulletin on the public portal https://csirt.gov.it, which also includes the procedures for resolving the vulnerability, to which the technical managers of public and private IT services are invited to refer.

FLORA'S COMMENT

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/cybersecurity/come-e-dove-e-nata-laggressione-hacker-tutti-i-dettagli/ on Sun, 05 Feb 2023 19:22:30 +0000.