Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
REWTERZ THREAT ADVISORY – CVE-2018-19788 – LINUX POLICYKIT Command Execution Vulnerability
December 10, 2018Rewterz Threat Advisory – Bagle worm returns with email spam campaigns
December 12, 2018
A new variant of Satan ransomware is spreading via around ten different vulnerabilities in Windows and Linux server platforms.
IMPACT: MEDIUM
PUBLISH DATE: 11-DEC-2018
OVERVIEW
The worm-like variant of Satan ransomware called “Lucky” is capable of spreading on its own, without human interaction. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons. The ransomware is found infecting many systems belonging to the financial sector.
ANALYSIS
These vulnerabilities are being exploited by Lucky to facilitate its propagation.
- JBoss deserialization vulnerability
- JBoss default configuration vulnerability (CVE-2010-0738)
- Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
- WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
- WebLogic WLS component vulnerability (CVE-2017-10271)
- Windows SMB remote code execution vulnerability (MS17-010)
- Spring Data Commons remote code execution vulnerability (CVE-2018-1273)
- Apache Struts 2 remote code execution vulnerability
- Apache Struts 2 remote code execution vulnerability
- Tomcat Web admin console backstage weak password brute-force flaw.
In case of successful infection, Lucky encrypts local files adding extension ‘.lucky’ to their names. It then installs a ransom file – “_How_To_Decrypt_My_File_”.
Lucky ransomware attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network to find vulnerable systems to drop its malicious payload.
ATTACK TARGET
Most of these vulnerabilities are easy to exploit and affect Java server apps. The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform.
Ransomwares are now attacking Servers more than systems because vulnerable servers are usually left unpatched for longer periods of time as compared to desktop systems. Based on Threat Intelligence data from over 4,000 sources, experts believe that there is a risk of extensive infection in the financial sector by Lucky ransomware.
INDICATORS OF COMPROMISE
IPs:
- 111[.]90[.]158[.]225
- 107[.]179[.]65[.]195
- 23[.]247[.]83[.]135
- 111[.]90[.]158[.]224
MITIGATION
- Check firewall logs to detect suspicious port-scanning activity as well as exploitation of vulnerabilities.
- Check for any requests to connect with a list of above-mentioned four specific IP addresses.
- Keep track of the latest vulnerability alerts and immediately scan their systems for the known CVEs that could be exploited.
- Most importantly, make sure all the products are upgraded to the latest patched versions and are immune to each of the above-mentioned vulnerabilities.
If you think you’re a victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.