Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2018
04:04 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Satan Ransomware Variant Exploits 10 Server-Side Flaws

Windows, Linux systems vulnerable to self-propagating 'Lucky' malware, security researchers say.

A new version of ransomware that first surfaced about two years ago is garnering attention for its ability to spread via as many as ten different vulnerabilities in Windows and Linux server platforms.

"Lucky," as the new malware is called, is a variant of Satan, a data encryption tool that first became available via a ransomware-as-a-service offering in January 2017. Like Satan, Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all.

Security vendor NSFocus spotted the variant on systems belonging to some of its financial services customers in late November, and described it as likely to cause extensive infections worldwide. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.

Sangfor Tech, another security vendor, also heard from a customer in the financial sector about Lucky infecting some of their Linux production servers. In a blog post, Sangfor said its researchers found the ransomware to encrypt files and append the name '.lucky' to the encrypted files.

NSFocus identified the ten vulnerabilities that Lucky uses to propagate itself: JBoss default configuration vulnerability (CVE-2010-0738); Tomcat arbitrary file upload vulnerability (CVE-2017-12615); WebLogic arbitrary file upload vulnerability (CVE-2018-2894); WebLogic WLS component vulnerability (CVE-2017-10271); Windows SMB remote code execution vulnerability (MS17-010); Spring Data Commons remote code execution vulnerability (CVE-2018-1273); Apache Struts 2 remote code execution vulnerability (S2-045); Apache Struts 2 remote code execution vulnerability (S2-057); and Tomcat Web admin console backstage weak password brute-force flaw.

"There is a risk of extensive infections because [of the] big arsenal of vulnerabilities that [the malware] attempts to exploit," says Apostolos Giannakidis, security architect at Waratek, which also posted a blog on the threat.

All of the vulnerabilities are easy to exploit, and actual exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with little to no customization required, he says. Several of the vulnerabilities used by Lucky were disclosed just a few months ago, which means that the risk of infection is big for organizations that have not yet patched their systems, Giannakidis says.

All but one of the server-side vulnerabilities that Lucky uses affect Java server apps. "The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform," he notes.

Ransomware attacks have not been quite as high-profile this year as they were in 2017, with the WannaCry and NetPetya outbreaks. But as the new Lucky variant shows, ransomware still remains a popular tool in the attacker's arsenal.

SecureWorks recently analyzed threat data from over 4,000 companies and found that low and mid-level criminals especially are maintaining a steady level of malicious activity against enterprises using ransomware and cryptomining tools. The firm found no discernable difference in ransomware activity between this year and 2017.

Ransomware Pivots to Servers

Like other self-propagating malware, Lucky attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network and then sends its malicious payload to any systems that are discovered to be vulnerable.

Lucky is an example of how attackers have evolved ransomware tools over the past two- to three years. Instead of targeting OS vulnerabilities—such as Windows SMB protocol—on desktop and other end-user systems, attackers have pivoted to attacking servers instead, Giannakidis notes.

"Instead of targeting OS vulnerabilities their focus is now applications and services on servers," Giannakidis says. "This is also evident by the fact that the ransomware targets Linux systems, which are primarily used for servers."

One reason for the shift in attacks could be that patching server-side applications is a considerably more difficult task than patching desktops. Servers with vulnerabilities in them are likely to remain unpatched—and therefore exposed to attack—for longer periods than vulnerable end-user systems, Giannakidis notes. "According to recent studies, organizations need on average at least three to four months to patch known vulnerabilities with windows of exposure of more than one year to be very common in the enterprise world."

What to Do

NSFocus recommends using an egress firewall or similar functionality to check for suspicious port scanning activity as well as for vulnerabilities getting exploited. Security admins also should check for requests to access to a list of four specific IP addresses and domains and provided steps that organizations can follow to remove the virus from infected systems.

And upgrade to the latest versions of affected software, NSFocus says, and install patches where available.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.