Endpoint

5/11/2018
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Gandcrab Ransomware Exploits Website Vulnerabilities

Researchers find campaigns distributing Gandcrab by hosting malware on legitimate websites with poor security measures.

Cryptominers may have stolen the spotlight as cybercrime's hottest new trend, but it doesn't mean we can stop paying attention to ransomware. Researchers at Cisco Talos detected a new batch of Gandcrab ransomware being distributed through legitimate but poorly secured sites.

Gandcrab, among the newest threats in the ransomware space, started as a simple attack and quickly evolved as its authors adapted to security defenses. In the first two months of 2018, attackers infected more than 50,000 victims and generated more than $600,000 for attackers. This threat spreads via spam campaigns and exploit kits including Rig and Grandsoft.

Talos researchers were analyzing a recent spam campaign when they found a series of compromised sites delivering Gandcrab and continued to identify four separate campaigns over the period of one week. The first started on April 30 and was disguised as an online order. An attached ZIP file has a Word document that downloads and executes the ransomware. Emails contained either VBScripts or ZIP files but always delivered the same result.

An interesting part of this campaign is the tools used to download Gandcrab. There are several ways to do this with macros, but attackers chose to use certutil.exe, a command line utility installed as part of Certificate Services. The use of certutil demonstrates how adversaries are seeking new and effective ways to download malware onto targets' machines, says Talos threat researcher Nick Biasini.

A couple of days later, the second campaign arrived. Its subject, bodies, and attachments were very similar to those in the first; however, the location of where the payload was hosted had changed. Researchers looked at the DNS and noticed it was delivered from a legitimate site, which was running phpMyAdmin and had multiple MySQL flaws and default credentials. The website was taken down shortly after this was discovered, researchers say in a blog post.

The third campaign was found downloading Gandcrab from an out-of-date WordPress site riddled with vulnerabilities. The fourth leveraged the same website, highlighting another trend. Sometimes attackers return to the same site, even after it has been taken down. This pattern shows attackers aren't putting much effort into making their campaigns unique.

Biasini says this distribution of Gandcrab highlights a major problem for businesses: website compromise. Many of the Web pages on the Internet are running on antiquated software and most small businesses don't know a new flaw has been released. Even if they did, they don't have the expertise or time to update the software they rely on.

"It is increasingly easy to create a website based on a lot of the Web frameworks like WordPress, Joomla, and Drupal, among others," he explains. "The challenge is that most people creating and hosting a small-business website aren't aware that the software needs to be updated and secondly may not have the knowledge or time to undertake such an endeavor."

Each of these platforms has some form of remote management, Biasini continues. Average employees don't realize this portal needs to have strong credentials and, ideally, have the administrative page restricted to the specific IP address space. "These exposed admin pages with weak credentials are easily compromised by far more sophisticated adversaries," he notes.

Attackers will continue to leverage compromised websites because they save time and money related to domain registration, buying VPS, and configuring the server to host files. They also inherit the site's reputation, which can help with slipping past blacklisting systems.

This specific version of Gandcrab is generating a discussion around how often the malware is updated, and its creators' active participation in developing new iterations of it. "They are continually making changes and updates to this ransomware," says Biasini.

Businesses can protect themselves by patching their software, including any and all plug-ins that could be used on the site. Beyond that, he recommends securing admin portals on the pages and implementing strong passwords. In a brute-force attack, weak passwords could lead to compromise and grant the attacker access until the authentication is updated.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19301
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
CVE-2018-5407
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-14934
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
CVE-2018-14935
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.
CVE-2018-16619
PUBLISHED: 2018-11-15
Sonatype Nexus Repository Manager before 3.14 allows XSS.