REWTERZ THREAT ADVISORY – CVE-2018-19788 – LINUX POLICYKIT Command Execution Vulnerability
December 10, 2018Rewterz Threat Advisory – Bagle worm returns with email spam campaigns
December 12, 2018REWTERZ THREAT ADVISORY – CVE-2018-19788 – LINUX POLICYKIT Command Execution Vulnerability
December 10, 2018Rewterz Threat Advisory – Bagle worm returns with email spam campaigns
December 12, 2018A new variant of Satan ransomware is spreading via around ten different vulnerabilities in Windows and Linux server platforms.
IMPACT: MEDIUM
PUBLISH DATE: 11-DEC-2018
OVERVIEW
The worm-like variant of Satan ransomware called “Lucky” is capable of spreading on its own, without human interaction. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons. The ransomware is found infecting many systems belonging to the financial sector.
ANALYSIS
These vulnerabilities are being exploited by Lucky to facilitate its propagation.
- JBoss deserialization vulnerability
- JBoss default configuration vulnerability (CVE-2010-0738)
- Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
- WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
- WebLogic WLS component vulnerability (CVE-2017-10271)
- Windows SMB remote code execution vulnerability (MS17-010)
- Spring Data Commons remote code execution vulnerability (CVE-2018-1273)
- Apache Struts 2 remote code execution vulnerability
- Apache Struts 2 remote code execution vulnerability
- Tomcat Web admin console backstage weak password brute-force flaw.
In case of successful infection, Lucky encrypts local files adding extension ‘.lucky’ to their names. It then installs a ransom file – “_How_To_Decrypt_My_File_”.
Lucky ransomware attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network to find vulnerable systems to drop its malicious payload.
ATTACK TARGET
Most of these vulnerabilities are easy to exploit and affect Java server apps. The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform.
Ransomwares are now attacking Servers more than systems because vulnerable servers are usually left unpatched for longer periods of time as compared to desktop systems. Based on Threat Intelligence data from over 4,000 sources, experts believe that there is a risk of extensive infection in the financial sector by Lucky ransomware.
INDICATORS OF COMPROMISE
IPs:
- 111[.]90[.]158[.]225
- 107[.]179[.]65[.]195
- 23[.]247[.]83[.]135
- 111[.]90[.]158[.]224
MITIGATION
- Check firewall logs to detect suspicious port-scanning activity as well as exploitation of vulnerabilities.
- Check for any requests to connect with a list of above-mentioned four specific IP addresses.
- Keep track of the latest vulnerability alerts and immediately scan their systems for the known CVEs that could be exploited.
- Most importantly, make sure all the products are upgraded to the latest patched versions and are immune to each of the above-mentioned vulnerabilities.
If you think you’re a victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.