Lucky ransomware: Satan virus variant poses risk of extensive infection

By December 7, 2018 December 18th, 2018 Alerts, Patching, Zero Day

Linux and Windows Platforms at risk via 10 CVEs

Overview

Waratek Customer AlertIndependent security researchers at NSFOCUS and Sangfor have identified a Satan worm/virus variant that impacts Linux and Windows platforms and behaves similar to the Satan ransomware. The malware is believed to have already infected Linux servers in production, but, based on the aggressive manner in which the virus spreads, there is a risk of extensive infections.

The virus exploits known vulnerabilities in JBoss, Tomcat, WebLogic, Windows SMB, Apache Struts 2, and Spring Data Commons software.

Waratek customers are already protected by runtime virtual patches as well as Waratek’s unsafe deserialization zero-day-protection rule.

Details

NSFOCUS discovered customers were infected with ransomware believed to be a variant of FT.exe with the capability of dropping crypto-miners and ransomware. The Satan virus spreads via Linux and Windows platforms like a worm, exploiting the following vulnerabilities:

  • JBoss deserialization vulnerability
  • JBoss default configuration vulnerability (CVE-2010-0738)
  • Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
  • Tomcat web admin console backstage weak password brute-force attack
  • WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
  • WebLogic WLS component vulnerability (CVE-2017-10271)
  • Windows SMB remote code execution vulnerability (MS17-010)
  • Apache Struts 2 remote code execution vulnerability (S2-045)
  • Apache Struts 2 remote code execution vulnerability (S2-057)
  • Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

Lucky Ransomware

If the malware successfully infects a system, it encrypts local files and appends .lucky to their names and installs a ransom file – “_How_To_Decrypt_My_File_”.

Advice

Organizations with the impacted platforms and configurations should keep track of the latest vulnerability alerts and immediately scan their systems for the known CVEs that could be exploited.

Organizations should also check their egress firewall logs for the presence of port-scanning activity as well as connections to the following IP addresses:

111.90.158.225, 107.179.65.195, 23.247.83.135, 111.90.158.224.

Waratek Enterprise and Waratek Secure customers are already protected by the platform’s zero-day and zero-false-positives protection features against code injection, command injection, unsafe deserialization, and arbitrary file upload attacks. No further rule configuration or any other kind of tuning is needed to achieve protection. Waratek Patch users that have applied the corresponding ARMR Runtime Virtual Patches are also protected against this malware.

Non-customers should upgrade or patch immediately their JBoss, Tomcat and WebLogic servers as well as their Struts 2 and Spring applications. Additionally, Windows users should install the MS17-010 patch immediately or disable the SMB service if it is not used. In all cases, an anti-virus should be installed in all systems with the latest virus definitions. Finally, it is critical to backup all server and user data and to make sure that the restore process is working as expected.

print
Apostolos Giannakidis

Author Apostolos Giannakidis

Apostolos drives the research and the design of the security features of Waratek’s RASP container. Before starting his journey in Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than 10 years of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.Apostolos is acknowledged by Oracle for submitting two Java Deserialization vulnerabilities that were fixed in the Oracle January 2018 CPU and is featured on Google’s Vulnerability Reward Program Hall of Fame.

More posts by Apostolos Giannakidis
X