Saturday, December 7, 2024
HomeCVE/vulnerabilityHelldown Ransomware Attacking VMware ESXi And Linux Servers

Helldown Ransomware Attacking VMware ESXi And Linux Servers

Published on

SIEM as a Service

Helldown, a new ransomware group, actively exploits vulnerabilities to breach networks, as since August 2024, they have compromised 28 victims, leaking their data on a dedicated website. 

The ransomware group IS has updated its data leak site, removing three victims, possibly indicating successful ransom payments by continuing its double extortion tactic, stealing and threatening to leak data if ransom demands are not met.

It was active primarily in August and October and has compromised over 30 victims, including small and medium-sized businesses and larger organizations like Zyxel Europe, as their focus seems to have shifted between active attacks and tool development.

- Advertisement - SIEM as a Service
Helldown ransom note from xml configuration

An analysis revealed that at least eight victims, including one compromised in early August, utilized Zyxel firewalls for IPSec VPN access during their breach, where two victims subsequently replaced their Zyxel firewalls post-compromise, as indicated by Censys historical data. 

Zyxel firewalls with v5.38 firmware have been compromised, potentially exploiting the critical CVE-2024-42057 vulnerability.

An attacker uploaded a potentially malicious ELF binary, possibly linked to the recent breaches, but the payload is incomplete.

Threat actors are exploiting vulnerabilities in Zyxel firewalls to create unauthorized accounts, such as “SUPPOR87” and “VPN,” via SSL VPN, potentially granting them unauthorized access to victim systems.

The Helldown group exploited a Zyxel vulnerability to compromise firewalls, using the OKSDW82A account to access the network via SSL VPN, where post-compromise activities included lateral movement, privilege escalation, and the deployment of tools like Advanced Port Scanner and HRSword, indicating potential ransomware intentions.

Helldown ransomware Icon for encrypted file

It exfiltrates large volumes of data, including sensitive documents, directly from network file shares while being less targeted, intensifying pressure on victims by exposing a wide range of confidential information.

The Windows executable payload is a ransomware variant that encrypts files, generates a ransom note, and persists on the infected system using Windows APIs.

The ransomware deletes system shadow copies, drops and executes a script to terminate critical processes, encrypts files, modifies filenames and icons, generates a ransom note, removes its traces, and shuts down the system.

According to Sekoia, it loads its configuration from an XOR-encrypted XML file, checks for administrator privileges, disables 64-bit redirection, and then encrypts specified files while deleting shadow copies and replacing file icons with a ransom note.

By executing commands, it deletes shadow copies, drops an icon, modifies the registry, and then terminates specified processes, creates a ransom note, and finally shuts down the system. 

Helldown, a new threat actor, exploits undocumented Zyxel firewall vulnerabilities to gain network access and deploy basic ransomware. Their success lies in their ability to exploit these vulnerabilities rather than the sophistication of their malware.

The group exploited a Zyxel vulnerability to deploy LockBit 3 ransomware, likely targeting virtualized VMware infrastructures, while this vulnerability, not yet assigned a CVE, has been addressed by Zyxel in a recent firmware update.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...