What Is It?
The corporate cyber security equivalent of the old real estate adage location, location, location, is patch, patch, patch. For some time now attackers have been actively exploiting vulnerabilities quickly after they are disclosed publicly, or in the case of actual zero-day vulnerabilities, prior to disclosure. For many organizations, timely patching is made more difficult by the increasing uptime requirements of systems. However, delays in patching can have significant impacts to organizations. The latest example, as described by researchers at Cisco TALOS, exploits a remote code vulnerability in Oracle WebLogic Server to install and execute ransomware with no human interaction required. They found attackers installing a new strain of ransomware dubbed Sodinokibi and also variants of Gandcrab v5.2.
The Oracle Weblogic vulnerability (CVE-2019-2725) is easy to exploit and does not require authentication, meaning any of the large number of internet-facing Weblogic servers are fair game for attackers. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8 out of 10, demonstrating both its severity and ease of exploitation. While Oracle released a patch for this vulnerability on April 26, TALOS has reported attacks in the wild since April 17.
Once installed, the Sodinokibi ransomware encrypts files, deletes shadow copies in order to make recovery more difficult and presents a ransom note. The ransom note provides details on how to make payment of the ransom, which initially amounts to the bitcoin equivalent of approximately US$2,500, however, the ransom amount doubles if not paid in a timely fashion. For some reason, the attackers apparently felt the need, eight hours after the Sodinokibi infection to install Gandcrab v5.2 on the same systems. This might point to the attackers feeling unsure of the reliability of the new Sodinokibi ransomware.
The BluVector Threat Intel Team reverse engineered one of the Sodinokibi samples in order to extract configuration information. The executing sample was dumped, resulting in a new sample with a compilation date of April 23. 2019. The dumped sample contained a section with the non-standard name of “.bja”. This section appeared to contain binary data, preceded by a potential decryption key. Analyzing the code, the decryption routine was identified and executed in isolation, the output of which was a JSON-formatted configuration file. This configuration file includes a base64-encoded version of the ransom note, the file extension to be added to encrypted files and lists of files and directories to be skipped during the encryption process. Interestingly, the configuration file also contains a list of 1079 seemingly legitimate domain and site names.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The attack vector exploits a Weblogic Vulnerability (CVE-2019-2725).
When/How Did BluVector Detect It?
Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 50 months prior to their release.