- Hackers use back doors to drop kickted, a legitimate staff monitoring tool
- The tool is used to get login -legitimation information and implement an encryption
- VMWAARES ESXI -servers are targeted
Kickedfor, a popular staff monitoring tool, abused in ransomware attacks, several security researchers have warned.
The software was designed for companies that enabled them to supervise their employees’ productivity, ensure compliance and detect insider threats. Some of its key features are real -time screen view, key pressure and time tracking, where the former two are particularly interesting for cyber criminals.
Researchers from Varonis and Synactrive who claim to have seen the attacks in nature say it all starts with a poisoned ad purchased on the Google Ads network. The ad appears to people searching for RVTOOLS, a free Windows-based tool that connects to VMware VCenter or ESXI hosts. The ad leads to a Trojanized version of the program that releases a back door called Smokedham.
Cloud -Safety Copies at the intersection
Using the back door, threat actors implement kicks, specifically targeting corporate administrators and many of the login credentials they use every day. The goal is to infiltrate in each corner of the network and ultimately implement the encryption.
The two groups seen using kickers are Qilin and Hunters International, who seem to be focused on cloud security copies but seem to have hit a roadblock, Varonis said.
“Given the increased targeting of backup solutions from attackers in recent years, defenders defenders of backup system approval from Windows domains. This measure prevents attackers from accessing backups, even if they get High-level Windows Legal Department,” Varonis told Varonis Bleeping computer.
“Kicks deal with this problem by catching keystrokes and web pages from an administrator’s workstation. This allows attackers to identify off-site cloud security copies and get the necessary passwords to access them. This is done without dumping memory or other high-risk tactics that are more likely to be discovered.”
The payloads targeted VMware ESXI infrastructure added the researchers who encrypted VMDK virtual hard drives. Hunters International Used VMware PowerCli and WINSCP Automation to activate SSH, drop ransomware and run it on ESXI servers.
