Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us
The Ryuk ransomware caused a major disruption for some high-profile print media organizations in the United States. This malware is typically used in targeted attacks carried out via phishing or through planted files on insecure remote desktops. While the code appears to have similarities with Hermes, a ransomware associated with the North Korean hacker group Lazarus, no connection has been publically credited at this time, although the attack does appear to have originated from outside the United States. While this attack is still being investigated, it is noted that it appears the intention was to disable the infrastructure, specifically servers, as opposed to stealing information. Overall, the attack did cause the cybercriminals expected disruption, but alas, newspapers did go out, rather a bit later than expected.
Ryuk ransomware either will use the file naming format - [original filename.ext].RYK or does not change the name or extensions of the files being encrypted. The malware attempts to inject its code into the address space of processes, except explorer.exe, csrss.exe, and lsaas.exe. The malware has been observed to affect/encrypt files located on shared drives within the same subnet. Other nefarious behavior includes registry modifications, killing processes related to antivirus, database, document editing software, and backup programs.
For more details about the Ryuk ransomware, read the FortiGuard Labs encyclopedia description: W64/Ryuk.223E!tr.ransom
FortiGuard has following signatures: W64/Ryuk.223E!tr.ransom, W32/Invader.CUZR!tr.ransom, W32/Ryuk.A!tr.ransom, W32/Filecoder.NTS!tr.ransom, W64/Filecoder.Z!tr.ransom
Application Vulnerabilities / IPS
ThinkPHP.Controller.Parameter.Remote.Code.Execution -- According to their documentation, "ThinkPHP is a fast and simple lightweight development framework based on MVC and object-oriented. It is released under the Apache2 open source protocol. Since its inception, it has been adhering to simple and practical design principles, while maintaining excellent performance and simple code." And it is very much in widespread use around the globe, especially in China. It was discovered that ThinkPHP versions 5.0 and 5.1 are vulnerable to a remote code execution vulnerability, which by the time of this writing is being actively exploited by cyber criminals in the wild, making this detection jump to the second most detected IPS attack. What attackers generally do is after they get remote code execution on the server, they deploy a php backdoor on the system to make sure that they can get in afterwards and continue their nefarious work. We are seeing this campaign propagating other IoT malware as well. There have been exploits disclosed and available for download on popular threat-intelligence portals, which we believe led to this quick use of this cyber weapon. ThinkPHP has patched the issue on versions 5.0.23 and 5.1.31.
UPnP.SSDP.M.Search.Anomaly -- This is a signature that detects attempts to scan for open UPnP/SSDP routers on the internet. Usually this service should not be enabled on the WAN interface, but it can be for any number of reasons, such as misconfiguration from the user and/or vendor. Theoretically, SSDP packets should be sent to multicast address 188.8.131.52 on port 1900. If we detect traffic that is being sent to a specific IP other than that, we identify this as being generated by a scanner. Attackers are leveraging these devices to carry on an attack using NAT injection on those devices that expose UPnP/SSDP services on their WAN interface. By using this, attackers create a loophole that after exploitinb the flaw, allows them to access internal resources and creating new NAT rules from SSDP endpoints. One other attack that can be executed is using the device as a proxy for malicious traffic - using the same flaw but exploiting it differently to create proxied connections between the attacker and the router. According to an Akamai study, there are about 70k vulnerable devices on the internet. (https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf).
Another Christmas Present? -- FortiGuard labs is aware of a new update to the FilesLocker ransomware. Earlier this week, researchers discovered a variant of FilesLocker, a second version released, this one with a Christmas theme. When the victim is presented with the lock screen, a cozy and very detailed ornamental background with various red and gold ball ornaments, candy canes, gifts, a Christmas tree, and a snowman is presented to the victim with the notification in English and Chinese that they have been infected, showing them the flag, which appears to be region specific.
All your important files have been encrypted!If you understand the importance of the situation
According to researchers, the actors behind this latest ransomware variant were nice (pun intended) to leave a copy of the master key on Pastebin, strangely enough after the encryption routine was performed. Because of this, researchers in the security community were able to create a decryption tool that was successful in decrypting versions 1.0 and 2.0.
Bamboozled by Goblin Panda -- FortiGuard Labs is aware of a new campaign by the threat actors behind Goblin Panda. This new campaign utilizes a new dropper. Previous iterations used an OLE package to drop a file in %appdata% where it then proceeds to decode two files, a legitimate file and a RAT (Plugx/Newcore/Sisfader). It appears that the threat actors have changed their routine by using one large OLE file which is mapped in memory and one PE is used to drop the files. The threat currently uses CVE-2017-11882, known as the Microsoft Office Memory Corruption Vulnerability, which has been distributed in weaponized campaigns delivered in malicious RTF files. CVE-2017-11882 allows attackers to run arbitrary code and potentially take control of a system. Also, to make matters worse and even more confusing, there appears to be an overlap between CVE-2017-11882 and CVE-2017-0802, where a fix was released in the January 2018 monthly bulletin cycle. The vulnerability is a stack overflow bug when parsing the long font name string in a FONT record, similar to CVE-2017-11882. It can be used by attackers to execute arbitrary code in the security context of the logged-on user.
Web Filtering Activity
A "JAR" Full -- FortiGuard Labs Web Filtering team is aware of a new, malicious email campaign targeting employees of banks and financial services companies. The malicious payload was hosted on storage.googleapis.com, which is very popular with enterprise customers. Attackers used malicious VBS scripts and JAR files to compromise various endpoints. The scripts are highly obfuscated with three levels of highly obfuscated VBScript, using Base64 encoding. Two C2 servers (fud[.]fudcrypt[.]com and pm2bitcoin[.]com) were used in all of the scripts).