Endpoint

5/11/2018
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Gandcrab Ransomware Exploits Website Vulnerabilities

Researchers find campaigns distributing Gandcrab by hosting malware on legitimate websites with poor security measures.

Cryptominers may have stolen the spotlight as cybercrime's hottest new trend, but it doesn't mean we can stop paying attention to ransomware. Researchers at Cisco Talos detected a new batch of Gandcrab ransomware being distributed through legitimate but poorly secured sites.

Gandcrab, among the newest threats in the ransomware space, started as a simple attack and quickly evolved as its authors adapted to security defenses. In the first two months of 2018, attackers infected more than 50,000 victims and generated more than $600,000 for attackers. This threat spreads via spam campaigns and exploit kits including Rig and Grandsoft.

Talos researchers were analyzing a recent spam campaign when they found a series of compromised sites delivering Gandcrab and continued to identify four separate campaigns over the period of one week. The first started on April 30 and was disguised as an online order. An attached ZIP file has a Word document that downloads and executes the ransomware. Emails contained either VBScripts or ZIP files but always delivered the same result.

An interesting part of this campaign is the tools used to download Gandcrab. There are several ways to do this with macros, but attackers chose to use certutil.exe, a command line utility installed as part of Certificate Services. The use of certutil demonstrates how adversaries are seeking new and effective ways to download malware onto targets' machines, says Talos threat researcher Nick Biasini.

A couple of days later, the second campaign arrived. Its subject, bodies, and attachments were very similar to those in the first; however, the location of where the payload was hosted had changed. Researchers looked at the DNS and noticed it was delivered from a legitimate site, which was running phpMyAdmin and had multiple MySQL flaws and default credentials. The website was taken down shortly after this was discovered, researchers say in a blog post.

The third campaign was found downloading Gandcrab from an out-of-date WordPress site riddled with vulnerabilities. The fourth leveraged the same website, highlighting another trend. Sometimes attackers return to the same site, even after it has been taken down. This pattern shows attackers aren't putting much effort into making their campaigns unique.

Biasini says this distribution of Gandcrab highlights a major problem for businesses: website compromise. Many of the Web pages on the Internet are running on antiquated software and most small businesses don't know a new flaw has been released. Even if they did, they don't have the expertise or time to update the software they rely on.

"It is increasingly easy to create a website based on a lot of the Web frameworks like WordPress, Joomla, and Drupal, among others," he explains. "The challenge is that most people creating and hosting a small-business website aren't aware that the software needs to be updated and secondly may not have the knowledge or time to undertake such an endeavor."

Each of these platforms has some form of remote management, Biasini continues. Average employees don't realize this portal needs to have strong credentials and, ideally, have the administrative page restricted to the specific IP address space. "These exposed admin pages with weak credentials are easily compromised by far more sophisticated adversaries," he notes.

Attackers will continue to leverage compromised websites because they save time and money related to domain registration, buying VPS, and configuring the server to host files. They also inherit the site's reputation, which can help with slipping past blacklisting systems.

This specific version of Gandcrab is generating a discussion around how often the malware is updated, and its creators' active participation in developing new iterations of it. "They are continually making changes and updates to this ransomware," says Biasini.

Businesses can protect themselves by patching their software, including any and all plug-ins that could be used on the site. Beyond that, he recommends securing admin portals on the pages and implementing strong passwords. In a brute-force attack, weak passwords could lead to compromise and grant the attacker access until the authentication is updated.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11321
PUBLISHED: 2018-05-22
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
CVE-2018-11322
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
CVE-2018-11323
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-11324
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.
CVE-2018-11325
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.