- SamSam operators switch tactic and are more focused on targeted organizations
- Oracle botches CVE-2018-2628 patch and hackers promptly start scanning for vulnerable WebLogic installs
- Op GhostSecret – ThaiCERT seized a server used by North Korea Hidden Cobra APT group in the Sony Picture hack
Posted: 30 Apr 2018 05:45 AM PDT
SamSam ransomware made the headlines again, crooks now spreading thousands of copies of the ransomware at once into individual targeted organizations.
SamSam ransomware made the headlines, according to malware researchers at Sophos, its operators are now spreading thousands of copies of the ransomware at once into individual organizations. The experts warn of targeted attacks, this means that the organizations are carefully selected by the crooks.
“Unlike most of the well-known ransomware families, which attack randomly, SamSam is used against specific organizations, those most likely to pay to get their data back, like hospitals or schools.” reads the analysis published by Sophos.
“Instead of spam campaigns, the cybercriminals behind SamSam use vulnerabilities
The operators behind the recently discovered SamSam campaign attempt to exploit known vulnerability to compromise networks of targeted organizations. The hackers have been seen using brute-force tactics against Remote Desktop Protocol (RDP) passwords.
Once compromised a system inside the targeted organization, the SamSam search for other machine to infect while stealing credentials.
When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.
The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.
Once infected the largest number of systems in the targeted organization, SamSam operators attempt to offer a complete clean up of the infected systems for a special price.
“Instead of blasting out one copy of the malware out to thousands of potential victims over a day or two, the crooks blast thousands of copies of the malware onto computers inside a single organisation, pretty much all at once…” reads a blog post published by Sophos. “…and then, almost casually, they offer a "volume discount" to fix the entire company in one fell swoop.”
At the equivalent of $7200 per PC, but crooks "just" request a $45,000 ransom to decrypt your whole company.
The Bitcoin ransom seems to be adjusted, based on the BTC-to-US$ exchange rate at the time of the infection of the organization.
"We don't know why the price is $45,000. For all we know, that number was picked because it's below certain reporting threholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money." continues the post.
Rather than pay the entire ransom, companies can pay to restore only select machines by sending the specific hostnames to the operators.
System administrators must install security updates for any software installed on the organization, run a security software, and always back up their data.
(Security Affairs – ski lift, hacking)
The post SamSam operators switch tactic and are more focused on targeted organizations appeared first on Security Affairs.
Posted: 30 Apr 2018 03:05 AM PDT
According to a security expert, Oracle appears to have botched the CVE-2018-2628 fix, this means that attackers could bypass it to take over WebLogic servers.
The CVE-2018-2628 flaw was addressed in Oracle’s Critical Patch Update (CPU) security advisory, a remote attacker can easily exploit the vulnerability to completely take over an Oracle WebLogic server.
“Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 188.8.131.52, 184.108.40.206 and 220.127.116.11.” reads the description provided by Mitre. “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).”
@pyn3rd added that it is quite easy to bypass the patch:
The popular cyber security expert Kevin Beaumont explained that the mitigation implemented by Oracle seems to only blacklist commands.
Such kind of errors could have serious consequences on the end users, since April 17, (just after Oracle published the quarterly Critical Patch Update (CPU) advisory). experts are observing threat actors started scanning the Internet, searching for Oracle WebLogic servers.
After Oracle published the Critical Patch Updates, the researchers Xinxi published the technical details of the CVE-2018-2628 vulnerability and later a user with moniker ‘Brianwrf’ shared proof-of-concept (PoC) code on GitHub.
The availability of the PoC code caused a spike in scans for port 7001 that runs the vulnerable WebLogic T3 service.
In the following graph from SANS Institute shows the spike in Internet scans for port 7001:
(Security Affairs – CVE-2018-2628 Oracle WebLogic, hacking)
Posted: 30 Apr 2018 01:06 AM PDT
The Thai authorities with the support of the ThaiCERT and security first McAfee have seized a server used by North Korean Hidden Cobra APT as part of the Op GhostSecret campaign.
The Thai authorities with the support of the ThaiCERT have seized a server used by North Korean hackers in the attack against Sony Picture.
The server was located in a Thai university and allegedly used as part of a North Korean hacking campaign conducted by the Hidden Cobra APT group.
The identification of the server was the result of the investigation conducted by experts at McAfee that analyzed the Operation GhostSecret searching for infrastructures involved worldwide.
“Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.” reads the report published by McAfee.
“Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203[.]131[.]222[.]83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack.”
According to a security advisory published by the ThaiCERT, the operation GhostSecret kicked off in February 2018. McAfee identified three IP addresses (18.104.22.168, 22.214.171.124, and 126.96.36.199) belonging to Thammasat University that are associated with the Thai activity.
Researchers at McAfee reported the IP addresses of the command and control servers involved in the GhostSecret.
GhostSecret operation first targeted the Turkish financial sector in February 2018, during the period from 14 to 18 March 2018 it targeted entities in more than 17 countries, including Thailand and according to the experts it is still active.
According to McAfee, the Operation GhostSecret is a global data reconnaissance campaign targeting critical infrastructure, entertainment, finance, healthcare, and telecommunications worldwide. The hackers behind Operation GhostSecret leverage multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra.
McAfee has also discovered a new Destover malware implant variant with capabilities similar to the Bankshot malware and that resembles parts of the Destover malware.
Furthermore, the experts at the Advanced Threat Research team have discovered an undocumented implant tracked as Proxysvc that operated undetected since mid-2017.
ThaiCERT along with local authorities and McAfee researchers are currently analyzing the content of the seized server.
(Security Affairs – GhostSecret, North Korea)
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|