Category: News

New research reveals that ransomware assaults on VMware ESXi infrastructure follow a consistent pattern, independent of the file-encrypting malware used.

“Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse,” cybersecurity firm Sygnia said in a report shared with The Hacker News.

The Israeli business discovered that attacks on virtualization environments follow a similar pattern of events through its incident response work with different ransomware families, including LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat, and Cheerscrypt.

This entails taking the subsequent actions:

• Gaining first access by means of phishing scams, downloading malicious files, and taking advantage of known flaws in assets that are visible to the internet
• Escalating their privileges to use brute-force assaults or other techniques to get credentials for ESXi hosts or Center
• Establishing the ransomware and confirming their access to the virtualization infrastructure
• Destroying or encrypting backup systems, or in certain situations, altering the passwords, to make recovery attempts more difficult
• Stealing information and transferring it to other sites like Dropbox, Mega.io, or their own hosting services
• Starting the ransomware’s execution to encrypt the ESXi filesystem’s “/vmfs/volumes” subdirectory
• Spreading the ransomware to workstations and servers that aren’t virtualized in order to increase the attack’s reach

Organizations should make sure that sufficient monitoring and logging are in place, develop reliable backup plans, impose stringent authentication procedures, harden the environment, and put in place network limitations to stop lateral movement in order to reduce the dangers caused by such attacks.

The development came about after cybersecurity firm Rapid7 issued a warning on a campaign that has been going on since early March 2024 and uses malicious advertisements on popular search engines to disseminate trojanized installers for PuTTY and WinSCP via typosquatted domains, which in turn installs ransomware.

By dropping the Sliver post-exploitation toolkit through these fake installers, additional payloads are sent, such as a Cobalt Strike Beacon that is used to spread ransomware.

The action is tactically similar to other BlackCat ransomware assaults in which the initial access vector was malvertising, as part of a recurrent campaign that spreads the Nitrogen malware.

“The campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions,” Tyler McGraw, a security researcher, stated.

“The successful execution of the malware gives the threat actor a stronger footing and impedes analysis by distorting the aim of following administrative activities.”

The discovery also comes following the introduction of new ransomware families such as Beast, MorLock, Synapse, and Trinity, with the MorLock gang specifically targeting Russian companies and encrypting files without first exfiltrating them.

“The [MorLock] attackers demand a significant ransom, which can be tens or hundreds of millions of rubles,” Group-IB’s Russian subsidiary F.A.C.C.T. claimed.

According to NCC Group data, global ransomware attacks in April 2024 decreased by 15% from the previous month, from 421 to 356.

Notably, April 2024 marks the end of LockBit’s eight-month reign as the threat actor with the most victims, showing the company’s difficulties to survive surviving a massive law enforcement takedown earlier this year.

However, in an unexpected change of events, the business reported that LockBit 3.0 had fewer than half of the detected attacks from March and was not the most prevalent threat group for the month. “Instead, Play was the most active threat group, followed shortly after by Hunters.”

Cybercriminals promoting hidden Virtual Network Computing (hVNC) and remote access services like Pandora and TMChecker that might be used for data exfiltration, distributing more malware, and enabling ransomware assaults have added to the instability in the ransomware scenario.

According to Security, a number of initial access brokers (IABs) and ransomware operators use [TMChecker] to examine hacked data that is readily available to determine whether corporate VPN and email account credentials are legitimate.

The significance of TMChecker’s concurrent growth lies in the fact that it significantly reduces the entrance hurdles for threat actors seeking high-impact corporate access for their own use or to sell to other enemies on the secondary market.

📷 REUTERS/Dado Ruvic/Illustration

According to people familiar with the situation, Nvidia’s (NVDA.O) most powerful AI chip, which it created specifically for the Chinese market, has not had the best of starts due to an abundance of supply, which has forced it to be priced lower than a rival chip from Huawei, a major player in the Chinese tech industry.
The declining prices highlight the difficulties that Nvidia’s China division is facing in light of US bans on the sale of AI chips and increased competition, raising doubts about the company’s future in a country that accounted for 17% of its revenue in the company’s fiscal year 2024.

Investors in the American semiconductor designer should exercise caution in light of the increasing competitive pressure in China, as the company’s shares continued their impressive upward trend after Wednesday’s impressive revenue prediction.
The industry leader in artificial intelligence (AI) chips, Nvidia, released three chips specifically designed for China in the latter part of 2018 after being banned from exporting its most sophisticated semiconductors due to U.S. sanctions.

Since the H20 is the most potent Nvidia product available in China, it is the chip that is being watched the most. However, three supply chain sources told Reuters that there is an abundance of the chip on the market, indicating lackluster demand.
Two of the three people told Reuters that this has resulted in H20 chips being sold in certain instances at a discount of more than 10% to Huawei’s Ascend 910B, the most potent AI chip from a Chinese business. The sources declined to be named because of the sensitive nature of the matter.

Nvidia was making a lot of effort to gain market share, which it cannot afford to lose, but analysts claimed the future is looking more and more bleak.
In 2035, China is expected to hold a larger worldwide share of the AI business than 30%, according to a report by the Chinese market research firm CCID Consulting.
According to Hebe Chen, an IG market analyst, “Nvidia is walking a fine line and working on a balancing act between maintaining the Chinese market and navigating U.S. tensions.” “Nvidia is definitely preparing for the worst in the long term.”

Senior executives from Nvidia said during the company’s first-quarter earnings call on Wednesday that the sanctions have “substantially” reduced the company’s operations in China.
“Our data center revenue in China is down significantly from the level prior to the imposition of the new export control restrictions in October,” stated Colette Kress, CFO. “We expect the market in China to remain very competitive going forward.”

The H20’s performance in China will be crucial to its business, according to analysts, and its long-term prospects will be determined by how it performs in comparison to Huawei, the country’s dominant tech company.
The Guangdong-based manufacturer, Huawei, only started to take on Nvidia last year. According to the sources, it will significantly increase the shipments of its Ascend 910B chip this year, which beats the H20 in some important parameters.
Huawei did not answer a request for comment right away.

Reuters’s checks on available government procurement data, which is not exhaustive and may not reflect the full extent of market demand, show that over a dozen buyers expressed interest in purchasing Huawei’s 910B during the same period, while just five state or state-affiliated buyers expressed interest in purchasing H20 chips.

Squeezing the margins

Nvidia’s H800 and A800 are banned in China due to US sanctions aimed at limiting China’s ability to become a technological powerhouse. Its other advanced product lines, such as H100 and B100, have also been prohibited.
Another big impediment to the development of Nvidia’s H20 chip in China has been Beijing’s instruction for enterprises to purchase Chinese processors, though two of the three individuals said such orders have decreased in recent months.
According to the sources, the H20 became widely available in China last month, with deliveries to clients arriving in just over a month.

Some of China’s internet behemoths have already placed orders, with Alibaba ordering over 30,000 H20 chips, according to two sources. Alibaba did not immediately reply to a request for comment.
According to sources, server distributors in China are selling the H20 for roughly 100,000 yuan per card and the eight-card server for between 1.1 million and 1.3 million yuan per server.
For example, wholesalers sell the Huawei 910B for more than 120,000 yuan for each card, while the eight-card server equivalent starts at 1.3-1.5 million yuan per server. According to the sources, costs for both the H20 and Huawei’s 910B can vary based on the volume of orders submitted.

According to Dylan Patel, founder of research firm SemiAnalysis, about a million H20 chips will be transported to China in the second half of 2024, forcing Nvidia to compete on pricing with Huawei.
“The H20 cost more to manufacture than an H100 due to its higher memory capacity,” Patel said, adding that it is being marketed for half the price of the H100, alluding to the powerful Nvidia processor prohibited from export to China in 2022.

📷 Image Credits: TechCrunch

The social media platform Elon Musk’s X is getting ready to make “likes” private. This move might make it difficult for users to distinguish between content they’ve bookmarked and content they’ve favorited. Employees of the corporation have posted fresh content, claiming that the purpose of hiding likes is to safeguard people’s reputations and encourage interaction by letting them favorite content that strikes them as “edgy.”

It’s unclear if this is the ideal way to address the issues X is attempting to resolve, including giving its system more signal so it can more accurately tailor its material to your interests.

Given that X, the corporation that was formerly known as Twitter, already offered a private option to save posts on the platform—bookmarks—the adjustment seems a little pointless. Although X’s bookmarks are designed to save topics or threads you might wish to read later, they also functioned as a more discreet option to “like.”

Users will be able to view who liked their posts and the total number of likes for all of their answers and posts, which further adds to the confusion. Put otherwise, a private “like” is only semi-secret because the poster is aware of it and could potentially reveal someone’s likes if they so choose. Given that it’s not a fully private system, people might still be reluctant to “like” postings that contain explicit content or take extreme political stances, for example, if X is attempting to encourage “edgy” engagement.

Instead, people might keep saving those favorite posts they don’t want to take the chance of exposing using X’s bookmarks or even third-party link-saving software.

Employees of X have posted that users would no longer be able to explore someone’s likes through a tab on their profile or see the likes connected to other people’s postings. This takes away a helpful function for discovery but may also help stop others from spying.

For example, if you’re new to X, you may look through the profiles of people you follow to see who else they would find intriguing. Alternatively, you may use someone else’s likes to gain an idea of the kinds of stuff they typically enjoy when looking through their profile to decide whether or not to follow them.

The true issue with likes is that their introduction changed the purpose of the bookmarking function. The feature was more of a “favorite” than a show of support before it was rebranded—as was popular at the time—from a star to a heart icon. It was theoretically possible for users to favorite anything, as doing so did not imply that they genuinely liked or agreed with the content.

Instead, it might have been something they were just recording, like a politician’s remarks you strongly disagreed with but wanted to keep in mind, a post that needed more investigation, a collection of posts you were gathering to eventually compile in Moments (RIP), the most disturbing or absurd posts made by a billionaire, and more. You have plausible deniability since no one could legitimately claim that you were “liking” the content because you weren’t clicking the heart icon.

Users were furious when Twitter changed from stars to hearts. They realized that hearts meant something completely different, and that changed their behaviour on the social network.

The Favourite feature, on the other hand, might indicate a variety of things, such a “thank you, a handshake, a tip of the hat, or even a Robert De Niro stare down,” according to TechCrunch at the time. At the time, TechCrunch predicted that switching from stars to hearts wouldn’t address Twitter’s more significant problems with increasing user numbers and engagement, and in most cases, it didn’t. After nearly constant growth for several quarters, the corporation had to find a way out.

Twitter later introduced Bookmarks to bring back the ability to save private content, including postings you didn’t necessarily agree with and ones you meant to refer to again in response to the criticism over the change.

Now that X is once more rearranging the functionality surrounding the “like,” a lot of people are expressing their displeasure. Many alternatives to this proposed change are being discussed on X, such as making private likes an option rather than a default and allowing anonymous “likes” via long-pressing the heart icon. Others cautioned that since artists used legions of bots to promote their material and help them make money, privatizing likes could lead to manipulation.

Additionally, there is a different approach, which former Twitter CEO Jack Dorsey hinted at. Even while we disagree with a lot of what Dorsey says these days—that Nostr is the social media of the future, for example, or that Bluesky is a platform for censorship—he makes sense when it comes to the likes vs. stars argument.

In a post on X, Dorsey wrote: “‘like’/❤️ was once a ⭐️. We ought never to have strayed from that.

More than 700 people have liked his post, and numerous comments have echoed his thoughts.

X doesn’t need to hide likes if its goal is to add additional signals for its algorithm rather than more privacy surrounding user engagement features. To achieve the same result, a much less drastic alteration would be to simply replace the heart icon with a star.