Agenda Ransomware Attacks VMWare vCenter & ESXi WorldWide


Agenda ransomware group, also known by its aliases Qilin and Water Galura, has been ramping up its attacks globally.

This nefarious group has focused on the United States, Argentina, Australia, and Thailand, and it has been targeting industries critical to the economy, such as finance and law.

However, a recent trend has emerged: Agenda is setting its sights on a new, highly critical target: VMware vCenter and ESXi servers.

The distribution by country of Agenda’s victims (March 2024)
The distribution by country of Agenda’s victims (March 2024)
The distribution by industry of Agenda’s victim organizations (March 2024)
The distribution by industry of Agenda’s victim organizations (March 2024)

The Rise of Agenda Ransomware

First identified in 2022, Agenda has quickly evolved, demonstrating a sophisticated understanding of cybersecurity vulnerabilities and how to exploit them.

Trend Micro, a leading cybersecurity firm, has been closely monitoring the group’s activities and has noted a significant uptick in attacks since December 2023.

This surge in activity suggests that the group is either expanding its operations or becoming more effective at reaching its targets.

Agenda ransomware infection chain based on recent observations
Agenda ransomware infection chain based on recent observations

A recent tweet by Dark Reading reveals that a global ransomware wave has been launched explicitly targeting VMware ESXi servers.

Technical Breakdown

The agenda’s method of attack is particularly insidious. The group employs Remote Monitoring and Management (RMM) tools and Cobalt Strike to deploy its ransomware binary.

Once inside the system, the ransomware can propagate through various means, including PsExec and SecureShell, and employs different vulnerable SYS drivers for defense evasion.

A comparison of the command-line arguments used by Agenda in July 2023 and February 2024 reveals significant enhancements in the ransomware’s capabilities.

Notably, the addition of arguments such as –no-sandbox for disabling sandbox detection, –impersonate for token impersonation, and –spread-center for propagation in vCenter and ESXi, among others, showcases the group’s evolving sophistication.

PowerShell Script used for propagation
PowerShell Script used for propagation

Lateral Movement: T1021.004 Remote Services – SSH

One of the most alarming developments is Agenda’s ability to spread to VMWare vCenter and ESXi servers.

Console for inputting vCenter or ESXi credentials
Console for inputting vCenter or ESXi credentials

By executing a custom PowerShell script embedded in the binary, the ransomware can propagate across virtual infrastructure, potentially leading to significant data, financial loss, and disruption of services.

rewriting the PowerShell script in memory
rewriting the PowerShell script in memory

Defense Evasion Techniques

Agenda employs the Bring Your Vulnerable Driver (BYOVD) technique to evade detection, leveraging different vulnerable drivers to disable security tools.

This approach highlights the adaptability of ransomware and the challenges cybersecurity defenses face in stopping these threats.

A SYS driver used by the Agenda ransomware
A SYS driver used by the Agenda ransomware

Organizations are advised to adopt a multilayered security approach to combat the threat of Agenda and similar ransomware.

This includes sparingly granting administrative rights, performing regular security scans, backing up data, practicing safe email and web browsing habits, and educating users on social engineering risks.

The Agenda ransomware group’s focus on VMWare vCenter and ESXi servers marks a significant escalation in the cyber threat landscape.

As these attacks evolve, organizations must stay vigilant and implement robust cybersecurity measures to protect their critical infrastructure from these increasingly sophisticated threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link