All posts by Keumars Afifi-Sabet

Ransomware operators are exploiting VMware ESXi flaws

Keumars Afifi-Sabet

1 Mar, 2021

Two ransomware strains have retooled to exploit vulnerabilities in the VMware ESXi hypervisor system publicised last week and encrypt virtual machines (VMs).

The company patched three critical flaws across its virtualisation products last week. These included a heap buffer overflow bug in the ESXi bare-metal hypervisor, as well as a flaw that could have allowed hackers to execute commands on the underlying operating system that hosts the vCenter Server.

Researchers with CrowdStrike have since learned that two groups, known as ‘Carbon Spider’ and ‘Sprite Spider’, have updated their weapons to target the ESXi hypervisor specifically in the wake of these revelations. These groups have historically targeted Windows systems, as opposed to Linux installations, in large-scale ransomware campaigns also known as big game hunting (BGH).

The attacks have been successful, with affected victims including organisations that have used virtualisation to host many of their corporate systems on just a few ESXi servers. The nature of ESXi means these served as a “virtual jackpot” for hackers, as they were able to compromise a wide variety of enterprise systems with relatively little effort.

This follows news that cyber criminals last week were actively scanning for vulnerable businesses with unpatched VMware vCenter servers, only days after VMware issued fixes for the three flaws.

“By deploying ransomware on ESXi, Sprite Spider and Carbon Spider likely intend to impose greater harm on victims than could be achieved by their respective Windows ransomware families alone,” said CrowdStrike researchers Eric Loui and Sergei Frankoff. 

“Encrypting one ESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations.

“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term.”

Sprite Spider has conventionally launched low-volume BGH campaigns using the Defray777 strain, first attempting to compromise domain controllers before exfiltrating victim data and encrypting files. 

Carbon Spider, meanwhile, has traditionally targeted companies operating point-of-sale (POS) devices, with initial access granted through phishing campaigns. The group abruptly shifted its operational model in April last year, however, to instead undertake broad and opportunistic attacks against large numbers of victims. It launched its own strain, dubbed Darkside, in August 2020.

Both strains have compromised ESXI systems by harvesting credentials that can be used to authenticate to the vCenter web interface, which is a centralised server admin tool that can control multiple ESXi devices. 

After connecting to vCenter, Sprite Spider enables SSH to allow persistent access to ESXi devices, and in some cases changes the root password or the host’s SSH keys. Carbon Spider, meanwhile, accesses vCenter using legitimate credentials but also logged in over SSH using the Plink tool to drop its Darkside ransomware.

VMware patches critical ESXi and vSphere Client vulnerabilities

Keumars Afifi-Sabet

24 Feb, 2021

VMware has fixed three critically-rated flaws across its virtualisation products that could be exploited by hackers to conduct remote code execution attacks against enterprise systems.

The firm has issued updates for three flaws present across its VMware ESXi bare-metal hypervisor and vSphere Client virtual infrastructure management platform, including a severe bug rated 9.8 out of ten on the CVSS scale.

This vulnerability, tracked as CVE-2021-21972, is embedded in a vCenter Server plugin in the vSphere Client. Attackers with network access to port 443 may exploit this to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Also patched is CVE-2021-21974, which is a heap buffer overflow vulnerability in the OpenSLP component of ESXi and is also rated a severe 8.8. Cyber criminals lying dormant within the same network segment as ESXi, also with access to port 427, may trigger the issue in OpenSLP which could also result in remote code execution. 

Finally, CVE-2021-21973 is a server-side request forgery (SSRF) flaw in vSphere Client which has arisen due to improper validation of URLs in a vCenter Server plugin. This is not as severe as the other two bugs, having only been rated 5.3, but can also be exploited by those with access to port 443 to leak information. 

There are workarounds that users can deploy for both CVE-2021-21972 and CVE-2021-21973 that are detailed here until a fix is deployed by the system administrator. 

Users can patch these flaws, however, by updating the products to the most recent versions. These include 7.0 U1c, 6.7U3I and 6.5 U3n of vCenter Server, 4.2 and of Cloud Foundation, as well as ESXi70U1c-17325551, ESXi670-202102401-SG and ESXi650-202102101-SG of ESXi.

These vulnerabilities were privately brought to the attention of VMware and customers are urged to patch their systems immediately.

Microsoft to launch standalone Office 2021 suite

Keumars Afifi-Sabet

19 Feb, 2021

Microsoft will launch a standalone, offline version of its flagship Office productivity suite for users and businesses unwilling to take out a subscription, more than two years after launching Office 2019.

Dubbed Office 2021, this software suite will launch alongside a long-term servicing channel (LTSC) version developed primarily for enterprises, according to the Verge.

Office LTSC will include new features such as support for dark mode, and accessibility improvements, alongside enhancements to core functionality – although the company has refrained from detailing these feature changes.

The announcement follows the company’s hints last year that it would release a ‘perpetual licence’ edition of its productivity suite. This is despite an understanding that Microsoft was seeking to phase out offline variants of Office in light of the huge shift to cloud-based collaboration

Office 2019, for example, was released with a reduced extended support period against that offered in previous offline editions. Users were able to tap into just five years of mainstream support, as opposed to the standard seven years afforded in the past.

Microsoft’s desire to migrate its customers to subscription-based services was also signalled by the launch of Microsoft 365, which encompasses the breadth of its workplace services, including Outlook and Teams.

The imminent launch of Office 2021 and Office LTSC, however, suggests the company understands not all its customers are ready to move to the cloud. 

“It’s just a matter of trying to meet customers where they are,” head of Microsoft 365, Jared Spataro, told the Verge.

“We certainly have a lot of customers that have moved to the cloud over the last 10 months, that’s happened en masse really. At the same time, we definitely have customers who have specific scenarios where they don’t feel like they can move to the cloud.”

Like Office 2019, Office LTSC will only be supported for five years, excluding extended support. Pricing for Office Professional Plus, Office Standard and individual apps will also increase by 10% for commercial customers against Office 2019. Pricing for consumer and small business customers with Office 2021, however, will not change. 

The software giant is planning to release a preview of Office LTSC in April ahead of a full release later this year. Office 2021 will launch at the same time, but won’t be available in preview.

Samsung debuts ‘industry’s-first’ AI-powered memory

Keumars Afifi-Sabet

17 Feb, 2021

Samsung has developed a computing architecture that combines memory with artificial intelligence (AI) processing power to double the performance of data centres and high-performance computing (HPC) tasks while reducing power consumption.

Branded an ‘industry first’, this processor-in-memory (PIM) architecture brings AI computing capabilities to systems normally powered by high-bandwidth memory (HBM), such as data centres and supercomputers. HBM is an existing technology developed by companies including AMD and SK Hynix.

The result, according to Samsung, is twice the performance in high-powered systems, and a reduction in power consumption by more than 70%. This is driven largely by the fact the memory and processor components are integrated and no longer separated, vastly reducing the latency in the data transferred between them.

“Our groundbreaking HBM-PIM is the industry’s first programmable PIM solution tailored for diverse AI-driven workloads such as HPC, training and inference,” said Samsungs vice president of memory product planning, Kwangil Park. 

“We plan to build upon this breakthrough by further collaborating with AI solution providers for even more advanced PIM-powered applications.”

Most computing systems today are based on an architecture which uses separate memory and processor units to carry out data processing tasks, known as von Neumann architecture. 

This approach requires data to move back and forth on a constant basis between the two components, which can result in a bottleneck when handling ever-increasing volumes of data, slowing system performance.

HBM-PIM, developed by Samsung, places a DRAM-optimised AI engine within each memory bank, enabling parallel processing and minimising the movement of data.

“I’m delighted to see that Samsung is addressing the memory bandwidth/power challenges for HPC and AI computing,” said Argonne’s associate laboratory director for computing, environment and life sciences, Rick Stevens. Argonne National Laboratory is a US Department of Energy research centre.  

“HBM-PIM design has demonstrated impressive performance and power gains on important classes of AI applications, so we look forward to working together to evaluate its performance on additional problems of interest to Argonne National Laboratory.”

Samsung’s innovation is being tested inside AI accelerators by third-parties in the AI sector, with work expected to be completed within the first half of 2021. Early tests with Samsung’s HBM2 Aquabolt memory system demonstrated the performance improvements and power consumption reduction cited previously.

Dell launches private cloud service through Project Apex

Keumars Afifi-Sabet

15 Feb, 2021

Dell Technologies Cloud Platform (DTCP) is aiming to offers its customers the capacity to scale up or down their IT infrastructures with its newly-launched private cloud platform.

Released through the firm’s flagship Cloud Console, this private cloud service offers a scalable way for customers to build their cloud without deploying an additional layer of VMware Cloud Foundation (VCF) software stack.

VCF is a hybrid cloud platform built on a single architecture that serves as a foundational layer for managing virtual machines (VMs) and orchestrating containers. Dell’s launch, however, would allow customers to bypass the need to deploy this architecture and build their own on-prem private cloud, the company says.

This is the second product that Dell has launched as part of its Project Apex cloud pursuit. Project Apex is an initiative the company launched in October 2020 to consolidate its ‘as a service’ cloud offerings – with its Cloud Console hub sitting at the heart of this strategy.

The Cloud Console serves as a provisioning and management platform for cloud and ‘as a service’ products, with Dell hoping that customers can use it to deploy workloads, manage resources and keep eye on costs through a simple interface.

DTCP Private Cloud is packaged with the same features that come with Dell’s existing hybrid cloud offering, with the firm also introducing instance-based offerings for DTCP Hybrid Cloud late last year.

These can be ordered in a self-service manner in quantities of 25, 50, 100, 200 and 500, and can be deployed in customers’ data centres within two weeks and scaled up in roughly five days. They can be combined to run a larger quantity of instances of the same type, or customers can mix and match multiple workloads within the same product.

While the firm’s hybrid cloud service is available for $47 per instance per month, Dell is making its private cloud offering available for $14 per instance per month. 

The release also comes with the option for customers to provide their own rack infrastructure, alongside the integrated rack Dell offers. Customers will be able to use their own rack space in combination with all the equipment required such as power distribution units, cables and switches.

Twitter shifts offline analytics workloads to Google Cloud

Keumars Afifi-Sabet

5 Feb, 2021

Google Cloud Platform has signed a multi-year agreement with Twitter that will see the social media company shift its offline analytics, data processing and machine learning workloads to Google’s Data Cloud.

The deal means Twitter will be able to more quickly process trillions of data points generated by every tweet, retweet and like send on its platform to generate insights that, in turn, can be fed into improvements to the core product.

Twitter’s data platform currently consumes hundreds of petabytes of data and runs tens of thousands of tasks over a dozen data clusters each day. It previously struck an agreement with Google Cloud Platform as part of its ‘Partly Cloudy’ strategy in 2018, when the firm moved its Hadoop clusters to Google’s infrastructure.

With this expanded partnership, Twitter will adopt a number of Google services including BigQuery, Dataflow, Cloud Bigtable and machine learning tools. Ultimately, it’ll allow the firm to expand its data ecosystem and generate insights much faster, as well as allowing for deeper machine learning-driven innovation.

“Our initial partnership with Google Cloud has been successful and enabled us to enhance the productivity of our engineering teams,” said Twitter’s CTO Parag Agrawal. “Building on this relationship and Google’s technologies will allow us to learn more from our data, move faster and serve more relevant content to the people who use our service every day. 

“As Twitter continues to scale, we’re excited to partner with Google on more industry-leading technology innovation in the data and machine learning space.

Twitter is also hoping to ‘democratise’ data access by offering a range of data processing and machine learning tools to better understand and improve how Twitter features are used. Previously, engineers and data scientists developed large custom processing jobs, although these can now be queried faster using SQL in BigQuery. 

The partnership, generally, will make it easier for both technical and non-technical teams to study data generated from the usage of Twitter, and gain insights from these.

“Helping customers manage the entire continuum of data – from storage to analytics to AI – is one of our key differentiators at Google Cloud,” said Google Cloud CEO, Thomas Kurian. 

“It’s been phenomenal to watch this company grow over the years, and we’re excited to partner with Twitter to innovate for the future and deliver the best experience possible for the people that use Twitter every day.”

IBM embraces ‘pay as you go’ cloud pricing

Keumars Afifi-Sabet

1 Feb, 2021

IBM has ditched subscription-based cloud pricing in favour of a ‘pay as you go’ scheme as it continues to transform its central focus to cloud provision.

With the Cloud Pay as you Go with Committed Use model, customers will need to negotiate a certain amount of cloud usage they’d be committing to pay for month after month, as well as discounted pricing. 

IBM’s main selling point for its new cloud pricing model is that customers won’t be met with penalties for using more than is expected. Instead, customers will be charged at the normal discounted rate they’ve negotiated for their expected cloud usage.

“With this billing model, you commit to spend a certain amount on IBM Cloud and you also receive discounts across the Cloud platform,” said Amit Patel, offering management, direct sales and Haley Lucey, IBM cloud content experience.

“You are billed monthly based on your usage, and unlike a subscription, you continue to receive a discount even after you reach your yearly committed amount.”

The change comes after another mixed round of financial results for the computing giant, with a 10% surge in cloud growth overshadowed by the sharpest overall revenue decline in five years. 

IBM’s cloud business earned $7.5 billion during Q4, with revenue from Red Hat also increasing by 19%. However, this wasn’t enough to raise overall revenues, which dropped 6% between October and December. 

The pivot to pay as you go pricing is also part of a wider shift in pricing strategy, with IBM also announcing last week that it’s raised the prices of its Enterprise Plan for Db2 on Cloud programme from January 2021. 

The console user experience is also getting an overhaul, IBM says, with changes including visualisation of progress towards a cloud commitment, with ways to identify any discount, spending progress and remaining time on a commitment. 

Customers can also look at their spending break down, month by month, as well as a detailed usage dashboard for each specific calendar month.

SolarWinds hackers hit Malwarebytes through Microsoft exploit

Keumars Afifi-Sabet

20 Jan, 2021

Malwarebytes has said that the same state-backed cyber gang that attacked SolarWinds in December was able to access internal emails by using an exploit in Microsoft 365.

The hackers gained limited access to internal Malwarebytes emails, according to CEO Marcin Kleczynski, by abusing applications with privileged access to Microsoft 365 and Azure environments.

The security firm first became aware of the threat after the Microsoft Security Response Centre (MSRC) discovered unusual activity in a third-party application sat inside the Microsoft 365 suite. Microsoft had been examining its Office 365 and Azure systems for signs of compromise at the time, while details of the SolarWinds attack were also beginning to emerge.

The attackers demonstrated similar techniques and procedures to those used in the SolarWinds compromise. In this case, however, they abused a dormant email protection product within the firm’s Office 365 tenant. This granted the attackers access to a limited subset of internal emails.

The attackers, however, failed to access or compromise Malwarebytes’ source code, and the company has declared that its products were safe to use at all times.

“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” Kleczynski said.

“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”

The specific exploit mechanism is based on an Azure Active Directory flaw uncovered in 2019, which Fox-IT researcher Dirk-jan Mollema demonstrated could be exploited to escalate privileges by assigning credentials to applications.

An early January report published by the US Cybersecurity and Infrastructure Security Agency (CISA) also revealed how attackers may have obtained access to Microsoft 365 apps by password spraying, in addition to exploiting administrative credentials.

In the Malwarebytes attack, the hackers added a self-signed certificate with credentials to the service principal account. From there, they were able to authenticate using the key and make API calls to request emails through MSGraph.

The SolarWinds breach was certainly one of the most significant security incidents of last year and carries wide-reaching implications for the industry. Since the turn of the year, it’s been revealed that the attackers accessed Microsoft source code in the breach, and had even first breached SolarWinds’ systems as far back as September 2019.

Citrix ‘set to acquire’ Wrike in record $2bn takeover

Keumars Afifi-Sabet

18 Jan, 2021

Citrix Systems is in talks to buy the collaborative work management platform Wrike for a reported $2 billion (approximately £1.5 billion) in what might become the company’s largest acquisition in its history.

The virtualisation company may close a deal with the owners of Wrike, Vista Equity Partners, as soon as this week, according to Bloomberg. This deal potentially adds another tool to Citrix’s arsenal as the firm aims to become a major player in the collaboration space.

Talks are reportedly ongoing with nothing finalised, according to those questioned by the publication, and discussions could yet collapse at any stage.

While Citrix already develops cloud-based products that allow employees to work remotely and keep in touch with their colleagues, integrating collaboration software such as that developed by Wrike would allow the company to go one step further.

Wrike develops workplace collaboration software that incorporates elements such as planning, workflow management and project management. The core platform is also supported by a host of integrations with technologies developed by the likes of Box, Salesforce, Microsoft, Google and Slack.

Of the firm’s more than 20,000 customers are several high-profile customers including Walmart and Nickelodeon in the US. Wrike’s competitors, meanwhile, include Trello and Slack Technologies, which were each recently purchased in major deals by Atlassian and Salesforce respectively.

Should the acquisition go through at the reported $2 billion figure, it’ll become the largest in the company’s history. The firm previously acquired the micro-app developer Sapho in November 2018 for $200 million (roughly £150 million). Prior to that, in February 2018, Citrix bought the web traffic management firm Cedexis for an undisclosed fee.

Citrix has been on a mission to define the “future of work” for several years, and integrating a collaboration platform into the firm’s core Workspace service would naturally fit into this strategy. The popularity of this kind of software has certainly surged during 2020, however, due to COVID-19 and its effect on encouraging remote working.

CloudPro approached Citrix for a comment on the reports, but the company didn’t respond at the time of publication.

Dropbox sheds 11% of its workforce in “painful” restructure

Keumars Afifi-Sabet

14 Jan, 2021

File hosting service Dropbox has decided to cull its global workforce by 315 people, or roughly a tenth, to embark on new strategies for growth and invest in products designed for the era of hybrid working.

The “painful, but necessary” decision to shed 11% of its workforce follows a transitional year in which the firm adopted a ‘virtual first’ policy with permanent remote working at its heart.

Dropbox COO Olivia Nottebohm will also be leaving the company on 5 February after little more than a year in post, although It’s unclear whether the former Google Cloud VP has been let go as part of the wider cuts or has stepped down on her own accord.

“Over the past year, we’ve talked a lot about the importance of running a tight ship and getting the company ready for the next stage of growth,” said Dropbox CEO Drew Houston.

“This will require relentless focus on initiatives that align tightly with our strategic priorities, and having the discipline to pull back from those that don’t. Unfortunately, this means that we’re reducing the size of some of our teams.”

The news may surprise some given that figures from November 2020 revealed Dropbox had performed better than expected, with its Q3 income of $487.4 million (£357 million) representing a 14% year-on-year growth.

Houston explained that these 315 job cuts “will lead to a more efficient and nimble Dropbox” and help the company focus on its priorities for 2021. These include evolving the core platform, investing in new products for hybrid working, and “driving operational excellence”, although the definition of this hasn’t been clarified.

He added the company strived to maintain jobs throughout 2020, but that this move was now needed in order to achieve its goals over the coming years.

“This was an extremely difficult decision, but a necessary step as we align teams to our business priorities, which requires reallocating resources and eliminating some roles across the company,” a Dropbox spokesperson told IT Pro. 

“We’ll continue to invest in critical roles to support product expansion and growth initiatives. For affected employees, we’re committed to supporting them through the transition, including severance packages and job placement support.”

There is no official reasoning for Nottebohm’s departure, and has she is yet to issue a statement, although Houston praised her “pivotal role” in setting the company up for success in 2021. Incidentally, the role that Nottebohm filled in January 2020 had previously been vacant for more than a year.

According to social media posts by current Dropbox employees, a significant number of cuts have been made in the product design division, although this hasn’t been officially confirmed. It’s also unclear how the job losses have been distributed geographically.

Departing employees will be entitled to severance pay and bonuses depending on their location and eligibility, as well as six months of healthcare if US-based. Workers can also choose to keep all company devices currently in their possession.