Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Satan Ransomware Variant Exploits 10 Server-Side Flaws

Windows, Linux systems vulnerable to self-propagating 'Lucky' malware, security researchers say.

A new version of ransomware that first surfaced about two years ago is garnering attention for its ability to spread via as many as ten different vulnerabilities in Windows and Linux server platforms.

"Lucky," as the new malware is called, is a variant of Satan, a data encryption tool that first became available via a ransomware-as-a-service offering in January 2017. Like Satan, Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all.

Security vendor NSFocus spotted the variant on systems belonging to some of its financial services customers in late November, and described it as likely to cause extensive infections worldwide. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.

Sangfor Tech, another security vendor, also heard from a customer in the financial sector about Lucky infecting some of their Linux production servers. In a blog post, Sangfor said its researchers found the ransomware to encrypt files and append the name '.lucky' to the encrypted files.

NSFocus identified the ten vulnerabilities that Lucky uses to propagate itself: JBoss default configuration vulnerability (CVE-2010-0738); Tomcat arbitrary file upload vulnerability (CVE-2017-12615); WebLogic arbitrary file upload vulnerability (CVE-2018-2894); WebLogic WLS component vulnerability (CVE-2017-10271); Windows SMB remote code execution vulnerability (MS17-010); Spring Data Commons remote code execution vulnerability (CVE-2018-1273); Apache Struts 2 remote code execution vulnerability (S2-045); Apache Struts 2 remote code execution vulnerability (S2-057); and Tomcat Web admin console backstage weak password brute-force flaw.

"There is a risk of extensive infections because [of the] big arsenal of vulnerabilities that [the malware] attempts to exploit," says Apostolos Giannakidis, security architect at Waratek, which also posted a blog on the threat.

All of the vulnerabilities are easy to exploit, and actual exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with little to no customization required, he says. Several of the vulnerabilities used by Lucky were disclosed just a few months ago, which means that the risk of infection is big for organizations that have not yet patched their systems, Giannakidis says.

All but one of the server-side vulnerabilities that Lucky uses affect Java server apps. "The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform," he notes.

Ransomware attacks have not been quite as high-profile this year as they were in 2017, with the WannaCry and NetPetya outbreaks. But as the new Lucky variant shows, ransomware still remains a popular tool in the attacker's arsenal.

SecureWorks recently analyzed threat data from over 4,000 companies and found that low and mid-level criminals especially are maintaining a steady level of malicious activity against enterprises using ransomware and cryptomining tools. The firm found no discernable difference in ransomware activity between this year and 2017.

Ransomware Pivots to Servers

Like other self-propagating malware, Lucky attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network and then sends its malicious payload to any systems that are discovered to be vulnerable.

Lucky is an example of how attackers have evolved ransomware tools over the past two- to three years. Instead of targeting OS vulnerabilities—such as Windows SMB protocol—on desktop and other end-user systems, attackers have pivoted to attacking servers instead, Giannakidis notes.

"Instead of targeting OS vulnerabilities their focus is now applications and services on servers," Giannakidis says. "This is also evident by the fact that the ransomware targets Linux systems, which are primarily used for servers."

One reason for the shift in attacks could be that patching server-side applications is a considerably more difficult task than patching desktops. Servers with vulnerabilities in them are likely to remain unpatched—and therefore exposed to attack—for longer periods than vulnerable end-user systems, Giannakidis notes. "According to recent studies, organizations need on average at least three to four months to patch known vulnerabilities with windows of exposure of more than one year to be very common in the enterprise world."

What to Do

NSFocus recommends using an egress firewall or similar functionality to check for suspicious port scanning activity as well as for vulnerabilities getting exploited. Security admins also should check for requests to access to a list of four specific IP addresses and domains and provided steps that organizations can follow to remove the virus from infected systems.

And upgrade to the latest versions of affected software, NSFocus says, and install patches where available.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...