![]() ![]() ![]() Image Source What Led to the Unusual Workaround? The Memento attack flow is illustrated below. Then, next, the AES encryption was employed through a Python-based ransomware strain. They removed their traces by means of Jetico’s BCWipe which is basically a utility that helps with data wiping. How Did the Encryption Phase Unfold?Īs BleepingComputer mentions, when the reconnaissance phase was over, they put the stoled data in a WinRAR archive and then exfiltrated it. They targeted vCenter and started performing a series of actions like server admin credentials extraction, scheduled tasks enforcing for persistence purposes and further moving laterally across the network by means of RDP over SSH. It seems that the vulnerability received a patch back in February, however, not many enterprises seemed to apply this patch.Īpparently, Memento started exploiting this flaw in April, and then last month they went on with their ransomware operation. The flaw was dubbed CVE-2021-21971, being characterized by a 9.8 severity score and representing basically a remote code execution vulnerability.Īnyone that remotely accesses a vCenter server’s TCP/IP port 443 can manage through the abusing of this vulnerability to use privileged access in order to perform commands execution on the operation system. They targeted a vulnerability in the VMware vCenter Server web client in order to obtain initial access to the targeted networks. It seems that the Memento ransomware group has started its ransomware activity in October 2021. Sophos researchers published a report on this topic. Because security software managed to detect previous encryption techniques, they have chosen now this method instead. ![]() Their approach seems to be quite uncommon, as the threat actor group locks files in WinRAR archives protected by a password. Memento ransomware group makes its way on the threat landscape scene. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |