Hi all! By tradition, we analyze the hottest news of the past month. February brought a wave of attacks on ESXi servers, Reddit and Activision hacks, the arrest of a well-known Finnish cybercriminal, and a rather original solution to users from Twitter. Read about this and other high-profile infobez events in February 2023 under the cut!
Wave of attacks on ESXi servers
In early February, ESXi servers were hit by a powerful ransomware attack. The attackers exploited the RCE heap overflow vulnerability CVE-2021-21972, which was fixed two years ago. Versions up to 7.0 U3i turned out to be vulnerable to the attack; to block attacks on unpatched servers, it was initially recommended to disable the Service Location Protocol, but later there were reports that this does not help everyone.
Meanwhile, at least 3,200 servers worldwide were compromised in the first attack. Ransomware encrypted .vmxf, .vmx, .vmdk, .vmsd, and .nvram files and allegedly pulled the encrypted data. The malware used in the attacks, called ESXiArgs, was based on Babuk sources leaked in 2021.
Meanwhile, a serious flaw was first discovered in encryption: the malware skipped huge chunks of large files in proportion to their size, including .flat files. For example, for a 450 GB file, ransomware alternated between 1 MB encryption and 4.49 GB data skip. Due to this, it was possible to rebuild virtual servers from unencrypted files, and the method proposed by specialists was quickly automated. The American agency CISA released a script for restoring virtual machines, and it seemed that the owners of the machines affected by the attack were getting a rare opportunity to exhale and avoid dancing with a tambourine. However, the attackers did not stop at the first failure.
A couple of days later, ESXiArgs entered the second wave of attacks, and in it the developers changed the encryption method. Where the previous version skipped most of the large files, the new one had a step of just one megabyte, eventually encrypting half of the file, regardless of size. Thus, the previously proposed method of recovering files has lost its effectiveness. And the administrators of the affected servers had to return to the tambourine with a sigh.
If you want to be a Twitter user, pay
In February, we saw an interesting move from Twitter: two-factor authentication via SMS will now be available only to users with a paid subscription. For commoners from March 20, it will simply be disabled. This is motivated by the fact that the company is losing 60 million dollars a year on fake 2FA text messages. Users without a subscription will have to switch to either third-party applications or dongles.
Meanwhile, Comrade Musk, regarding innovations, claims that two-factor by SMS is still not very safe due to the threat of sim-swapping, so applications for 2FA authorization are more secure anyway. Some infobez-optimists suggest that users will now have nowhere to go but switch to more secure 2FA methods, which will only spur them to take care of the security of their accounts. In fact, most likely, those few who have two-factor configured at all (and this is only 2.6% of the Twitter user base) will simply remain without it and will not notice the loss.
Subscribing not only to the coveted blue tick, but also to elementary security measures is, of course, an amusing maneuver. “If you want infobez, pay.” Always yours, Elon Musk.
A sea of spam in Microsoft Outlook boxes
In the second half of February, Microsoft Outlook mailboxes were flooded with spam. Apparently, because of the fallen off filters. Moreover, they broke down to such an extent that even the manual list of reliable senders did not work. What was previously marked as spam by users also fell into the boxes.
Frustrated users wrote that they received hundreds of emails in a couple of hours. Some lucky ones have received literally thousands of spam emails. Finding more than 6,000 chain letters in the morning and getting another 600 while cleaning the spam stables is still a pleasure.
Meanwhile, Microsoft was in no hurry to comment on the situation, and the company, apparently, preferred to quietly release what had happened on the brakes. Only on the page with the status of their services was a couple of general words mentioned about the problem that some users had, and soon the page already confidentially reported that everything was working and the issue had been resolved. It seems that the recent mass layoffs of 10,000 people also included those working on spam filters. And when you try to update them, someone clicked somewhere, and everything was gone.
Reddit hacked after phishing attack
In early February, Reddit reported that it had been heavily hacked. It was the result of a phishing attack: an employee’s data and tokens for two-factor authorization were stolen through a fake site under the guise of one of the corporate Reddit.
Attackers gained access to corporate systems, pulled off internal documents and source codes. The company says that the main development environment, which turns the gears of the infernal Reddit machine, has not been affected. So those who like to get fat upvotes for their witty comments can exhale.
Reddit does not provide details of the phishing attack, but refers to a recent similar hack by Riot Games. During that attack, the attackers hacked into the company and stole the source code of League of Legends, Teamfight Tactics, and a retired anti-cheat platform. One way or another, in the case of the Reddit hack, as usual, there was only one weak link in the team.
Activision hack and the leak that never happened
At the end of February, news surfaced about the hacking of the gaming company Activision. As it turned out, last December, attackers gained access to a Slack account and stole employee data – full name, mail, phone numbers, salaries, place of work, and so on. Plus, plans to release content for almost the entire year on Call of Duty and a new project code-named “Jupiter” have leaked to the network.
Activision did not report the hack and only acknowledged it when researchers publicly dismantled the leak. Moreover, they denied the drain of these employees, although this has already been confirmed by meticulous journalists. The hack happened after a phishing attack and the weak link, as they say, was HR, which explains the contents of the leak.
And a week later, the stolen employee data quite expectedly surfaced on a well-known forum. There are 19,444 entries in the database, including full name, phone numbers, mail, positions and place of work.
The scope for phishing attacks and social engineering is solid. Meanwhile, Activision has shown a great example of how not to respond to cybersecurity incidents. And the company recognized the hack only after the attention of journalists, and denied the data leak despite the analysis of the drain by the researchers. And now the database of employees that has never leaked is in the public domain with the caption “Great for phishing!” It came out awkward.
The Finnish Boy Who Shouted “I’m the Invincible Hacking God”
And finally, to the high-profile arrest of the past month. In early February, news arrived from France about the detention of the notorious Finnish comrade Julius Kivimäki. He has been in hiding since October 2022, after he was put on the wanted list in connection with the hack of the online psychotherapy service Vastaamo, which caused quite a stir in Finland.
Let me remind you Julius, aka zeekill, distinguished himself by being convicted of more than 50 thousand cybercrimes as part of the Lizard Squad in 2015, but then he got off with two years of probation due to minority. Swatting, false bomb reports, hacks, extortion – since then, Kivimäki’s track record has only grown. The light punishment that the novice cybercriminal then got off with only spurred his further illegal actions.
And he was arrested in France in the end, also quite symptomatic: the police arrived on a call about domestic violence in the wake of our anti-hero’s acquaintance with a lady in a club. The Finnish police announced their intention to extradite Kivimäki, and already on February 24 he was sent back to Finland.
In 2015, our anti-hero boastfully dubbed himself “the hacker god who can’t be jailed.” Well, now the naive Finnish boy is waiting for a rather harsh return to reality.