Alert essentials:

Researchers have uncovered a ransomware variant that shuts down VMware processes to allow encryption of Linux operating systems. The Helldown ransomware group uses a Zyxel firewall vulnerability as a network entrance vector.

Upgrade vulnerable firmware versions immediately to mitigate risks.

 

Email Team

 

 

Detailed threat description:

One of the new threat groups for 2024 has tooled its ransomware to exploit VMware ESX servers on Linux operating systems. Helldown emerged as a new player in the ransomware space in mid-2024. The group primarily exploits vulnerabilities in network devices to steal data and encrypt Windows and Linux networks.

Helldown ransomware exfiltrates substantial data volumes, averaging 70GB per attack with data sizes ranging from 22GB to 431GB. Unlike many threat operators who prefer selective data theft, Helldown indiscriminately targets data repositories, such as network shares and NAS systems. Their Windows ransomware variant uses a less sophisticated LockBit3.0 code.

LockBit was the most deployed ransomware in 2022, and many variants spawned from the LockBit3.0 codebase leak.

However, the Linux version focuses on killing VMware ESX servers. Attacking and shutting down virtual systems allows them to be encrypted. Otherwise, VMware processes cannot be acted on outside of manufacturer operations. Yet analysis reveals the code for stopping virtual machines may not always be invoked, indicating the menace is likely still under development. Be that as it may, researchers have linked numerous Helldown attacks to vulnerabilities in Zyxel firewalls.

CVE-2024-42057 is a command injection vulnerability in the IPSec VPN feature of some firewall versions that allows unauthenticated attackers to execute arbitrary commands by sending a crafted username to the target device. It has been utilized for initial network access and added to CISA’s Known Exploited Vulnerabilities list.

While the threat group is not as technically advanced as major ransomware players, its ability to exploit unpatched vulnerabilities and use accessible malware components makes it a significant threat. Employing double extortion tactics, Helldown has quickly gained notoriety, claiming 33 victims within its first three months on its Data Leak Site (DLS).

Stolen data can range from administrative documents to sensitive personal information, with leaks averaging 70GB per victim. Continued vigilance and prompt updates to vulnerable systems are crucial in mitigating possible attacks.

Impacts on healthcare organizations:

While their attacks span various industries, healthcare facilities are particularly vulnerable to Helldown due to the sensitive nature of medical data.

The group focuses on critical systems, such as virtualized infrastructures, using VMware and Linux to maximize disruption.

Given Helldown’s recent activity and evolving capabilities, healthcare providers should prioritize strengthening their cybersecurity measures to prevent and mitigate potential attacks.

Affected Products / Versions:

Zyxel Firewalls

  • Zyxel ATP series firmware versions from V4.32 through V5.38
  • USG FLEX series firmware versions from V4.50 through V5.38
  • USG FLEX 50(W) series firmware versions from V4.16 through V5.38
  • USG20(W)-VPN series firmware versions from V4.16 through V5.38

*The device must be configured in User-Based-PSK authentication mode and employ a valid username exceeding 28 characters before the attack is successful.

Indicators of Compromise (IoCs)

  • Helldown Linux payload – sha256
    6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd
  • Helldown Linux – ransom note – sha256
    9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c
  • Zyxel compromission artefact (zzz1.conf) – sha256
    ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe

Tactics, Techniques, and Procedures (TTPs)

Tactics: Techniques

  • Resource Development: T1650 – Acquire Access
  • Resource Development: T1588.005 – Exploits
  • Initial Access: T0819 – Exploit Public-Facing Application
  • Discovery: T1087.001 – Local Account
  • Impact: T1471 – Data Encrypted for Impact
  • Initial Access: T0866 – Exploitation of Remote Services

CVE
CVE-2024-42057

 

Recommendations

Engineering recommendations:

  • Users are advised to update ALL administrators, and ALL User accounts for optimal protection
  • Review logs for TTPs and IoCs
  • Regularly update software and systems to address vulnerabilities, especially in network-facing appliances
  • Maintain secure, offline backups of critical data to recover quickly in case of an attack


Leadership/ Program recommendations:

  • Network segmentation, strong access controls, regular data backups, and robust cybersecurity training can mitigate the risk of such attacks
  • Implement comprehensive detection and response measures, focusing on suspicious activity in critical systems like VMware processes
  • Train staff on cybersecurity best practices to reduce risks from phishing or other social engineering tactics

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: