Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Satan Ransomware Variant Exploits 10 Server-Side Flaws

Windows, Linux systems vulnerable to self-propagating 'Lucky' malware, security researchers say.

A new version of ransomware that first surfaced about two years ago is garnering attention for its ability to spread via as many as ten different vulnerabilities in Windows and Linux server platforms.

"Lucky," as the new malware is called, is a variant of Satan, a data encryption tool that first became available via a ransomware-as-a-service offering in January 2017. Like Satan, Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all.

Security vendor NSFocus spotted the variant on systems belonging to some of its financial services customers in late November, and described it as likely to cause extensive infections worldwide. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.

Sangfor Tech, another security vendor, also heard from a customer in the financial sector about Lucky infecting some of their Linux production servers. In a blog post, Sangfor said its researchers found the ransomware to encrypt files and append the name '.lucky' to the encrypted files.

NSFocus identified the ten vulnerabilities that Lucky uses to propagate itself: JBoss default configuration vulnerability (CVE-2010-0738); Tomcat arbitrary file upload vulnerability (CVE-2017-12615); WebLogic arbitrary file upload vulnerability (CVE-2018-2894); WebLogic WLS component vulnerability (CVE-2017-10271); Windows SMB remote code execution vulnerability (MS17-010); Spring Data Commons remote code execution vulnerability (CVE-2018-1273); Apache Struts 2 remote code execution vulnerability (S2-045); Apache Struts 2 remote code execution vulnerability (S2-057); and Tomcat Web admin console backstage weak password brute-force flaw.

"There is a risk of extensive infections because [of the] big arsenal of vulnerabilities that [the malware] attempts to exploit," says Apostolos Giannakidis, security architect at Waratek, which also posted a blog on the threat.

All of the vulnerabilities are easy to exploit, and actual exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with little to no customization required, he says. Several of the vulnerabilities used by Lucky were disclosed just a few months ago, which means that the risk of infection is big for organizations that have not yet patched their systems, Giannakidis says.

All but one of the server-side vulnerabilities that Lucky uses affect Java server apps. "The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform," he notes.

Ransomware attacks have not been quite as high-profile this year as they were in 2017, with the WannaCry and NetPetya outbreaks. But as the new Lucky variant shows, ransomware still remains a popular tool in the attacker's arsenal.

SecureWorks recently analyzed threat data from over 4,000 companies and found that low and mid-level criminals especially are maintaining a steady level of malicious activity against enterprises using ransomware and cryptomining tools. The firm found no discernable difference in ransomware activity between this year and 2017.

Ransomware Pivots to Servers

Like other self-propagating malware, Lucky attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network and then sends its malicious payload to any systems that are discovered to be vulnerable.

Lucky is an example of how attackers have evolved ransomware tools over the past two- to three years. Instead of targeting OS vulnerabilities—such as Windows SMB protocol—on desktop and other end-user systems, attackers have pivoted to attacking servers instead, Giannakidis notes.

"Instead of targeting OS vulnerabilities their focus is now applications and services on servers," Giannakidis says. "This is also evident by the fact that the ransomware targets Linux systems, which are primarily used for servers."

One reason for the shift in attacks could be that patching server-side applications is a considerably more difficult task than patching desktops. Servers with vulnerabilities in them are likely to remain unpatched—and therefore exposed to attack—for longer periods than vulnerable end-user systems, Giannakidis notes. "According to recent studies, organizations need on average at least three to four months to patch known vulnerabilities with windows of exposure of more than one year to be very common in the enterprise world."

What to Do

NSFocus recommends using an egress firewall or similar functionality to check for suspicious port scanning activity as well as for vulnerabilities getting exploited. Security admins also should check for requests to access to a list of four specific IP addresses and domains and provided steps that organizations can follow to remove the virus from infected systems.

And upgrade to the latest versions of affected software, NSFocus says, and install patches where available.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10855
PUBLISHED: 2019-05-23
Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.
CVE-2019-10866
PUBLISHED: 2019-05-23
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
CVE-2016-7550
PUBLISHED: 2019-05-23
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
CVE-2016-8897
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-8899
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.