Endpoint

5/11/2018
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Gandcrab Ransomware Exploits Website Vulnerabilities

Researchers find campaigns distributing Gandcrab by hosting malware on legitimate websites with poor security measures.

Cryptominers may have stolen the spotlight as cybercrime's hottest new trend, but it doesn't mean we can stop paying attention to ransomware. Researchers at Cisco Talos detected a new batch of Gandcrab ransomware being distributed through legitimate but poorly secured sites.

Gandcrab, among the newest threats in the ransomware space, started as a simple attack and quickly evolved as its authors adapted to security defenses. In the first two months of 2018, attackers infected more than 50,000 victims and generated more than $600,000 for attackers. This threat spreads via spam campaigns and exploit kits including Rig and Grandsoft.

Talos researchers were analyzing a recent spam campaign when they found a series of compromised sites delivering Gandcrab and continued to identify four separate campaigns over the period of one week. The first started on April 30 and was disguised as an online order. An attached ZIP file has a Word document that downloads and executes the ransomware. Emails contained either VBScripts or ZIP files but always delivered the same result.

An interesting part of this campaign is the tools used to download Gandcrab. There are several ways to do this with macros, but attackers chose to use certutil.exe, a command line utility installed as part of Certificate Services. The use of certutil demonstrates how adversaries are seeking new and effective ways to download malware onto targets' machines, says Talos threat researcher Nick Biasini.

A couple of days later, the second campaign arrived. Its subject, bodies, and attachments were very similar to those in the first; however, the location of where the payload was hosted had changed. Researchers looked at the DNS and noticed it was delivered from a legitimate site, which was running phpMyAdmin and had multiple MySQL flaws and default credentials. The website was taken down shortly after this was discovered, researchers say in a blog post.

The third campaign was found downloading Gandcrab from an out-of-date WordPress site riddled with vulnerabilities. The fourth leveraged the same website, highlighting another trend. Sometimes attackers return to the same site, even after it has been taken down. This pattern shows attackers aren't putting much effort into making their campaigns unique.

Biasini says this distribution of Gandcrab highlights a major problem for businesses: website compromise. Many of the Web pages on the Internet are running on antiquated software and most small businesses don't know a new flaw has been released. Even if they did, they don't have the expertise or time to update the software they rely on.

"It is increasingly easy to create a website based on a lot of the Web frameworks like WordPress, Joomla, and Drupal, among others," he explains. "The challenge is that most people creating and hosting a small-business website aren't aware that the software needs to be updated and secondly may not have the knowledge or time to undertake such an endeavor."

Each of these platforms has some form of remote management, Biasini continues. Average employees don't realize this portal needs to have strong credentials and, ideally, have the administrative page restricted to the specific IP address space. "These exposed admin pages with weak credentials are easily compromised by far more sophisticated adversaries," he notes.

Attackers will continue to leverage compromised websites because they save time and money related to domain registration, buying VPS, and configuring the server to host files. They also inherit the site's reputation, which can help with slipping past blacklisting systems.

This specific version of Gandcrab is generating a discussion around how often the malware is updated, and its creators' active participation in developing new iterations of it. "They are continually making changes and updates to this ransomware," says Biasini.

Businesses can protect themselves by patching their software, including any and all plug-ins that could be used on the site. Beyond that, he recommends securing admin portals on the pages and implementing strong passwords. In a brute-force attack, weak passwords could lead to compromise and grant the attacker access until the authentication is updated.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11471
PUBLISHED: 2018-05-25
Cockpit 0.5.5 has XSS via a collection, form, or region.
CVE-2018-11472
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
CVE-2018-11473
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
CVE-2018-11474
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.
CVE-2018-11475
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser.