United States: Ankura CTIX FLASH Update - April 5, 2024

Malware Activity

SEXi Ransomware Targets VMWare ESXi Servers

IxMetro Powerhost – a Chilean data center and hosting provider has confirmed they have been attacked by a novel ransomware group self-named "SEXi". The SEXi ransomware group appears to specifically target VMware's ESXi servers, encrypting servers and backups, and renaming encrypted files with a ".SEXi" extension. SEXi's ransom note has been found to be a ".txt" file which simply instructs victims to download and reach out to the attackers via the Session messaging application. In the case of the attack against IxMetro, the ransomware group demanded roughly $140 million in bitcoin for the decryption key. It is currently unknown whether SEXi plans to run a double-extortion operation or whether they will continue to only demand a ransom payment for decryption keys. Additionally, given the novelty of the ransomware, the initial access vector for the attack on the ESXi servers is currently unknown to cybersecurity researchers. Information about this new threat group and novel ransomware is still only just emerging. CTIX Analysts will continue to report on new and escalating malware and ransomware campaigns.

• Bleeping Computer: SEXi Ransomware Article
• GBHackers On Security: SEXi Ransomware Article

Threat Actor Activity

Russia Indicts Six (6) Suspects Involved in Stealing 160,000 Credit Cards Over Seven (7) Years

Russia has indicted six (6) individuals for card scamming crimes, a rarity for a country who has minimal precedence for tackling cybercrime. The six suspected "hacking group" members were indicted by the Russian Prosecutor General's office for using malware to steal credit card and payment information from foreign online stores. Per the investigation, Denis Priymachenko, Alexander Aseev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev have managed to steal over 160,000 payment cards since the end of 2017 using computer programs to bypass protection of foreign online store websites to infiltrate their databases and exfiltrate bank card details over to remote servers. Russian authorities have stated that the persons of interest were not personally using the stolen cards but rather selling the card data on dark web platforms. Attacks like this are often referred to as card skimming, where hackers will infect e-commerce sites with malicious code that steals customers' input on the checkout pages or through a fake payment overlay. Sometimes the threat actors will use the card info to make unauthorized purchases sent to money mules or sell them on dark web marketplaces which is most likely the case in this instance.

• Bleeping Computer: Russian Indictment Article

Vulnerabilities

Ivanti Patches Multiple VPN Gateway Vulnerabilities in Connect Secure and Policy Secure

Ivanti has patched multiple security vulnerabilities in its Connect Secure and Policy Secure gateways. Among them is a high-severity flaw tracked as CVE-2024-21894, allowing unauthenticated attackers to conduct remote code execution and induce denial-of-service (DoS) attacks, along with three (3) other vulnerabilities facilitating DoS attacks due to issues in heap overflow, null pointer dereference, and XML entity expansion. Despite the severity of these vulnerabilities and the potential for exploitation, there have been no reported incidents of exploitation at the time of disclosure. These updates follow Ivanti's public commitment to enhancing security measures following a backdrop of recent critical vulnerabilities in other products and a broader initiative to adopt secure-by-design principles, increase transparency, and improve vulnerability management. The urgency of these patches is underscored by past nation-state threat actor exploits of Ivanti software, which include the deployment of zero-days to disseminate malware. This situation has led to emergency directives from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to protect Federal Civilian Executive Branch (FCEB) agency systems against such vulnerabilities, demonstrating the severe cybersecurity consequences for Ivanti's customers and the broader global digital infrastructure. CTIX analysts recommend all administrators ensure their Ivanti products always stay up to date with the latest software to prevent exploitation.

• Bleeping Computer: CVE-2024-21894 Article
• The Hacker News: CVE-2024-21894 Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.