[TheRecord] Ransomware gangs are abusing a zero-day in EntroLink VPN appliances

Multiple ransomware gangs have weaponized and are abusing a zero-day in EntroLink VPN appliances after an exploit was released on an underground cybercrime forum at the start of September 2021.

The zero-day is believed to impact EntroLink PPX-AnyLink devices, popular with South Korean companies, and used as user authentication gateways and VPNs to allow employees remote access to company networks and internal resources.

An exploit targeting these devices was released last month, on September 13, 2021. The exploit, initially sold on another forum for $50,000, was released for free by the administrator of a newly-launched cybercrime forum in what appears to be a promotional stunt meant to raise the site’s profile among other cybercrime groups.

Image: The Record (supplied)

According to the forum post, the exploit is still unpatched, exploits a network protocol, and grants remote code execution with root-level access to PPX-AnyLink devices.

The post also describes the bug as an input validation issue and that the exploit is self-contained and only needs a few seconds to compromise a device.

Since the exploit’s release, affiliates for the BlackMatter and LockBit ransomware operations have been linked to possible intrusions where this exploit might have been used, according to a researcher who is currently tracking and investigating ransomware attacks.

EntroLink, the South Korean networking vendor, was notified of the exploit’s release by the security researcher.

The company did not engage with the researcher, and it also did not return a request for comment sent via email by The Record last week. During a phone call, a company spokesperson also refused to connect this reporter to a company representative responsible for product security.

The EntroLink PPX-AnyLink exploit now becomes the 54th zero-day vulnerability that ransomware gangs are currently known to abuse, according to a tracker managed by security researchers Allan Liska and Pancak3.

Updates include $MSFT Office CVE-2021-38646 and @billquick’s web suite CVE-2021-42258.
Also, I feel enough time has passed since continuously trying to reach the company with no response to uncensor the EntroLink PPX-AnyLink 0day item.
Cc: @uuallan pic.twitter.com/l6vetBONVu

— панкейк (@pancak3lullz) October 25, 2021

The post Ransomware gangs are abusing a zero-day in EntroLink VPN appliances appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day

All posts, ThreatPost

This batch had zero critical CVEs, which is unheard of. Most (50) of the patches are labeled Important, so don’t delay to apply the patches, security experts said. Source: Read More (Threatpost)

Read More

[ZDNet] How surveillance capitalism will totally transform the domain name system

All posts, ZDNet

APNIC’s Geoff Huston predicts a world where paranoid apps add ‘oblivion’ to the DNS to protect privacy. Their privacy, not yours. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] XLoader malware steals logins from macOS and Windows systems

A highly popular malware for stealing information from Windows systems has been modified into a new strain called XLoader, which can also target macOS systems. […] Source: Read More (BleepingComputer)

Read More