Lucky ransomware: Satan virus variant poses risk of extensive infection

By December 7, 2018Alerts, Patching, Zero Day

Linux and Windows Platforms at risk via 10 CVEs

Overview

Waratek Customer AlertIndependent security researchers at NSFOCUS and Sangfor have identified a Satan worm/virus variant that impacts Linux and Windows platforms and behaves similar to the Satan ransomware. The malware is believed to have already infected Linux servers in production, but, based on the aggressive manner in which the virus spreads, there is a risk of extensive infections.

The virus exploits known vulnerabilities in JBoss, Tomcat, WebLogic, Windows SMB, Apache Struts 2, and Spring Data Commons software.

Waratek customers are already protected by runtime virtual patches as well as Waratek’s unsafe deserialization zero-day-protection rule.

Details

NSFOCUS discovered customers were infected with ransomware believed to be a variant of FT.exe with the capability of dropping crypto-miners and ransomware. The Satan virus spreads via Linux and Windows platforms like a worm, exploiting the following vulnerabilities:

  • JBoss deserialization vulnerability
  • JBoss default configuration vulnerability (CVE-2010-0738)
  • Tomcat arbitrary file upload vulnerability (CVE-2017-12615)
  • Tomcat web admin console backstage weak password brute-force attack
  • WebLogic arbitrary file upload vulnerability (CVE-2018-2894)
  • WebLogic WLS component vulnerability (CVE-2017-10271)
  • Windows SMB remote code execution vulnerability (MS17-010)
  • Apache Struts 2 remote code execution vulnerability (S2-045)
  • Apache Struts 2 remote code execution vulnerability (S2-057)
  • Spring Data Commons remote code execution vulnerability (CVE-2018-1273)

Lucky Ransomware

If the malware successfully infects a system, it encrypts local files and appends .lucky to their names and installs a ransom file – “_How_To_Decrypt_My_File_”.

Advice

Organizations with the impacted platforms and configurations should keep track of the latest vulnerability alerts and immediately scan their systems for the known CVEs that could be exploited.

Organizations should also check their egress firewall logs for the presence of port-scanning activity as well as connections to the following IP addresses:

111.90.158.225, 107.179.65.195, 23.247.83.135, 111.90.158.224.

Waratek Enterprise and Waratek Secure customers are already protected by the platform’s zero-day and zero-false-positives protection features against code injection, command injection, unsafe deserialization, and arbitrary file upload attacks. No further rule configuration or any other kind of tuning is needed to achieve protection. Waratek Patch users that have applied the corresponding ARMR Runtime Virtual Patches are also protected against this malware.

Non-customers should upgrade or patch immediately their JBoss, Tomcat and WebLogic servers as well as their Struts 2 and Spring applications. Additionally, Windows users should install the MS17-010 patch immediately or disable the SMB service if it is not used. In all cases, an anti-virus should be installed in all systems with the latest virus definitions. Finally, it is critical to backup all server and user data and to make sure that the restore process is working as expected.

print

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead. Waratek is one of CSO Online’s Best Security Software solutions of 2017, a winner of the RSA Innovation Sandbox Award, and more than a dozen other awards and recognitions.

More posts by Waratek