The Censys research team has been tracking some of this year’s most significant vulnerabilities, and making headlines with their work in the process. Read more about three of the vulnerabilities the team has tracked using our internet intelligence data and find the latest on where things stand with each vulnerability’s risk remediation.
ESXiArgs ransomware hits 3500+ VMWare servers
More than 3,500 VMWare ESXi servers worldwide have been targeted by a ransomware campaign that began in early February. Last week, CISA released a recovery tool for victims affected by the ESXiArgs ransomware. The ransomware exploits an unpatched vulnerability in VMWare servers and allows a threat actor to trigger a heap overflow in the OpenSLP service, which can result in remote code execution. This ransomware is unusual in that it presents ransom notes to the internet, making the ransomware activity more visible to scanners like ours. The VMWare vulnerability was first detected using Censys’ internet scanning, which observed 3,551 infected hosts.
Censys Senior Security Researchers Emily Austin and Marc Light break down the ransomware attack and discuss the significance of what Censys was able to observe in their blog post: ESXWhy: A Look at ESXiArgs Ransomware.
In the News
Censys’ ransomware discovery was covered in a number of publications, including:
TechRepublic: Massive ransomware operation targets VMware ESXi: How to protect from this security threat
TechRepublic notes that Censys found that more than 1000 servers have been successfully hit by the ESXiArgs ransomware, the majority of which are in France, followed by the U.S. and Germany. TechRepublic also provides detail around how the ransomware operates, including its request for bitcoin payment within three days, and provides guidance for how affected parties can prevent and recover from the ransomware.
Cyberscoop: Global ransomware spree infects unpatched VMWare servers. CISA has a (possible) fix.
Cyberscoop reports that despite CISA’s fix, hackers have “updated the malware to encrypt additional files” and states that the impact of this ransomware campaign is still being assessed. They note that Censys has identified at least 3,800 compromised hosts with 900 servers that have the latest version of malware.
The Censys team will continue monitoring this campaign for signs of more activity, and you can too, using this Censys search query.
CISA orders federal civilian agencies to patch SugarCRM bug
Just before the start of the new year, an exploit was posted on the Full-Disclosure mailing list for a web-based content management system called SugarCRM. The exploit is used to compromise hosts in the wild and install a php-based webshell. Shortly after the exploit was posted, Censys observed 3,059 instances of SugarCRM on the internet and 354 unique IP addresses containing the exploit’s installed webshell. Censys researchers also tracked the top ten infected host countries (#1 -United States), along with the top most affected autonomous systems (#1 – Amazon-02).
CISA has since added the exploit to their Known Exploited Vulnerabilities Catalog and has ordered civilian agencies to patch the SugarCRM bug by February 23.
Read more about how Censys tracked the SugarCRM bug and the common indicators of compromise it identified: Tracking a SugarCRM Zero-Day
In the News
The Record: CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list
The Record reports that CISA has added the SugarCRM bug to its list of exploited vulnerabilities, stating that the vulnerability is being actively exploited and “poses significant risks to the federal enterprise.” The article cites Censys’ observation of 3,000+ instances of SugarCRM on the internet in January and 350+ unique IP addresses contained the exploit’s installed webshell. The Record also notes that the SugarCRM bug targets the small business market segment, whereas the Oracle bug — which CISA has also ordered to be patched by February 23, 2023 — targets enterprise businesses, and in turn highlighting how all market segments can attract advanced persistent threats.
End-of-Life Cisco routers are exposed to RCE attacks
The Censys team has been tracking a vulnerability in Cisco’s small business routers that emerged in January. One week after the exposure hit, Censys found approximately 19,500 Cisco routers that were unpatched and exposed to the RCE attacks. This vulnerability makes it possible for unauthenticated clients to bypass authentication and obtain administrative privileges that can execute arbitrary commands. Importantly, because Cisco no longer supports these end-of-life servers, the company announced that software updates would not be released to address the vulnerability.
By running a query on Censys Search, the Censys research team was able to break down which end-of-life routers models were most impacted, as well as identify where affected models were hosted around the world. You can find more information about how we tracked this exposure in our team’s Rapid Response blog: CVE-2023-20025: RCE in End-of-Life Cisco Routers
In the News
Bleeping Computer: Over 19,000 end-of-life Cisco routers exposed to RCE attacks
Bleeping Computer quotes Censys researchers in its reporting of the recent Cisco router exposure, highlighting that the Censys team found nearly 20,000 hosts that are potentially vulnerable to the attack, and identified four Cisco router models that were impacted. Bleeping Computer also shares Cisco’s directives for how users can still secure their devices, despite the fact that no official security update will be released.
Interested in learning more about how security teams can leverage Censys internet intelligence data to understand and remediate vulnerabilities? Explore Censys Search or reach out to one of our team members.
