Photo credit: www.darkreading.com
A newly identified ransomware strain, known as “Helldown,” has launched a Linux variant specifically targeting organizations that use VMware ESXi servers. The emergence of this ransomware group has raised concerns among cybersecurity experts, particularly as it has already affected 31 organizations since its detection in August, with a significant number of victims based in the United States.
Undocumented Zyxel Vulnerabilities?
Recent analysis indicates that the Helldown attackers may be leveraging previously unidentified vulnerabilities within Zyxel firewalls, which were utilized as IPSec VPN access points by the breached organizations. Security firm Sekoia reported that, following the attacks, Zyxel took measures to address several flaws in its firewall products. These incidents included a data breach in which around 250GB of sensitive data was leaked.
Sekoia’s Jeremy Scion noted, “Helldown has quickly established itself as a significant threat, primarily targeting vulnerable Zyxel firewalls.” The report highlighted that, while the ransomware itself does not exhibit unique characteristics, the group’s capacity to utilize undocumented exploits gives them a distinct advantage.
Zyxel’s network devices have previously been a focal point for cybercriminals, with past attacks exploiting identified vulnerabilities. Various campaigns have targeted its products, including threats to Internet-of-Things networks and crucial infrastructure in Denmark, showcasing a continuous trend of exploitation.
A Troubling Shift
Patrick Tiquet, the vice president of security and architecture at Keeper Security, expressed concern regarding Helldown’s evolving tactics. He emphasized that while targeting Linux systems is not new, the focus on VMware infrastructure suggests an adaptive approach by the gang. “The implication for security teams is to remain vigilant and ensure that both virtual and traditional systems are securely monitored and patched,” he affirmed.
Since its initial appearance, Helldown has been linked to attacks on various small and medium-sized enterprises across sectors such as transportation, healthcare, and telecommunications. Halcyon, an organization specializing in cybersecurity analysis, categorized Helldown as “highly aggressive,” highlighting its propensity for data theft paired with threats of exposure unless a ransom is paid.
In a recent report, Truesec suggested that Helldown exhibits higher sophistication in its attack methodologies compared to other established ransomware entities. The group is known for employing legitimate software tools to facilitate their intrusions, a tactic that complicates detection and response efforts.
Dangerous Adversary
Truesec’s analysis revealed that Helldown operators are meticulous in erasing any traces of their intrusion, making recovery more challenging for affected organizations. They primarily utilize compromised Zyxel firewalls to gain access and then employ tools such as TeamViewer for lateral movement within victim networks.
Reports indicate that attacks have primarily targeted Zyxel firewalls running firmware versions 5.38, wherein attackers uploaded specific files to enable further network access.
Additional tactics employed by Helldown include attempts to disable security measures and utilizing remote access tools for deeper infiltration. Notably, the size and nature of the files stolen by Helldown are atypical for ransomware attacks, often involving large datasets and a wide range of sensitive information.
Interestingly, Helldown exhibits behavior akin to the Darkrace ransomware variant, which emerged previously. While definitive links between these groups remain unestablished, there is speculation that Helldown may be a rebranding of Darkrace or share a common lineage.
Source
www.darkreading.com