Last week on Malwarebytes Labs:

• Microsoft Recall delayed after privacy and security concerns
• (Almost) everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13
• 43% of couples experience pressure to share logins and locations, Malwarebytes finds
• Explained: Android overlays and how they are used to trick people
• TikTok facing fresh lawsuit in US over children’s privacy
• Was T-Mobile compromised by a zero-day in Jira?
• US bans Kaspersky, warns: “Immediately stop using that software”
• First million breached Ticketmaster records released for free

Last week on ThreatDown:

• UEFI vulnerability for Intel processors opens the doors for a bootkit
• US gov bans Kaspersky sales and updates, says “switch to an alternative” immediately
• Microsoft 365 users targeted in 2FA-busting phishing campaigns
• Patch now! VMWare releases fix for critical vulnerabilities
• Compromised F5 BIG-IP appliances abused in three-year infiltration
• Why are browser vulnerabilities going unpatched?
• Anything but science fiction: The anatomy of an Akira ransomware attack
• Enhancing ThreatDown Admin App notifications: Multi-method delivery now available
• Black Basta ransomware exploits Windows Error Reporting Service vulnerability

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Serious vulnerabilities that can allow remote code execution and privilege escalation have been patched in VMware vCenter Server.

The post Critical Code Execution Vulnerabilities Patched in VMware vCenter Server appeared first on SecurityWeek.

Enlarge (credit: Getty)

After acquiring VMware, Broadcom swiftly enacted widespread changes that resulted in strong public backlash. A new survey of 300 director-level IT workers at companies that are customers of North American VMware provides insight into the customer reaction to Broadcom's overhaul.

The survey released Thursday doesn't provide feedback from every VMware customer, but it's the first time we've seen responses from IT decision-makers working for companies paying for VMware products. It echos concerns expressed at the announcement of some of Broadcom's more controversial changes to VMware, like the end of perpetual licenses and growing costs.

CloudBolt Software commissioned Wakefield Research, a market research agency, to run the study from May 9 through May 23. The "CloudBolt Industry Insights Reality Report: VMware Acquisition Aftermath" includes responses from workers at 150 companies with fewer than 1,000 workers and 150 companies with more than 1,000 workers. Survey respondents were invited via email and took the survey online, with the report authors writing that results are subject to sampling variation of ±5.7 percentage points at a 95 percent confidence level.

Read 13 remaining paragraphs | Comments

Views: 0Source: www.securityweek.com – Author: Eduard Kovacs MITRE has published another blog post describing the recent cyberattack, focusing on how the hackers abused its VMware systems for persistence and detection evasion. MITRE, a not-for-profit company operating R&D centers on behalf of US government sponsors, revealed one month ago that state-sponsored hackers had exploited zero-day vulnerabilities […]

La entrada VMware Abused in Recent MITRE Hack for Persistence, Evasion – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

MITRE has shared information on how China-linked hackers abused VMware for persistence and detection evasion in the recent hack.

The post VMware Abused in Recent MITRE Hack for Persistence, Evasion appeared first on SecurityWeek.

Last week on Malwarebytes Labs:

• Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix
• Update now! JetBrains TeamCity vulnerability abused at scale
• PetSmart warns customers of credential stuffing attack
• Predator spyware vendor banned in US
• ALPHV ransomware gang fakes own death, fools no one
• Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS
• Check your DNS! Abandoned domains used to bypass spam checks
• American Express warns customers about third party data breach
• No “Apple magic” as 11% of macOS detections last year came from malware
• Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

VMWare has issued secuity fixes for its VMware ESXi, Workstation, Fusion, and Cloud Foundation products. It has even taken the unusual step of issuing updates for versions of the affected software that have reached thier end-of-life, meaning they would normally no longer be supported.

This flaws affect customers who have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi by itself or as part of VMware vSphere or VMware Cloud Foundation.

A virtual machine (VM) is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and the VM (the guest system).

VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.

Besides instructions about how to update the affected products, the advisory lists possible workarounds that would block an attacker from exploiting the vulnerabilities. Since three of the vulnerabilities affect the USB controller, applying the workarounds will effectively block the use of virtual or emulated USB devices. For guest operating systems that do not support using a PS/2 mouse and keyboard, such as macOS, this means they will effectively be unable to use a mouse and keyboard.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in the XHCI and UHCI USB controllers of VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine can exploit the issues to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation of either is contained within the VMX sandbox, but on Workstation and Fusion this may lead to code execution on the machine where Workstation or Fusion is installed.

The VMX process is a process that runs in the kernel of the VM and is responsible for handling input/output (I/O) to devices that are not critical to performance. The VMX is also responsible for communicating with user interfaces, snapshot managers, and remote consoles.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2024-22254 is an out-of-bounds write vulnerability in VMWare ESXi. A malicious actor with privileges within the VMX process can trigger an out-of-bounds write leading to an escape of the sandbox.

A sandbox environment is another name for an isolated VM in which potentially unsafe software code can execute without affecting network resources or local applications.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data being written to memory is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller of VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a VM may be able to exploit this issue to leak memory from the VMX process.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.