Sodinokibi / REvil Ransomware Targets Oracle Weblogic Vulnerability

[Update April 12, 2020: An attacker group posted an internal-only document to a public forum, claiming to have used REvil (aka Sodinokibi) to have exfiltrated it and other documents from 10X Genomics, which creates tools that are user to examine the cells of patients who’ve recovered from COVID-19. The document, which claimed to have information about its 1,200 plus employees and its systems, was shared with Bloomberg News to offer proof of the attack. In the attackers’ claims, they indicated possession of over a terabyte of internal documents. While the company offered no comment about the alleged breach, news of the breach was widely covered in cybersecurity media. There’s no official word on whether the company paid the ransom.]

[Update Dec. 5, 2019: After news of a ransomware attack on CyrusOne data centers broke on tech news sites including ZDNet, we ran BluVector’s Machine Learning Engine against the related sample that was uploaded to VirusTotal and would have detected that variant of Sodinokibi 36 months ahead of its release.]

[Update Aug. 18, 2019: In the wake of 23 Texas local governments being targeted by ransomware in a coordinated attack on August 16th, ZDNet reports via an “authoritative source” that threat has been identified as Sodinokibi. If you remember our previous Threat Report, BluVector’s Machine Learning Engine (MLE) had detected Sodinokibi in 100% of the public samples available early June to mid-July 2019 and, through regression testing, would have detected the ransomware in those samples between 47 and 65 months prior to their release. Based on a report from Carbon Black last week, which listed 122 samples of the latest Sodinokibi variants, BluVector’s MLE successfully detected 100% of the malware at an average of 60 months prior to their release.

What Is It?

The corporate cyber security equivalent of the old real estate adage location, location, location, is patch, patch, patch. For some time now attackers have been actively exploiting vulnerabilities quickly after they are disclosed publicly, or in the case of actual zero-day vulnerabilities, prior to disclosure. For many organizations, timely patching is made more difficult by the increasing uptime requirements of systems. However, delays in patching can have significant impacts to organizations. The latest example, as described by researchers at Cisco TALOS, exploits a remote code vulnerability in Oracle WebLogic Server to install and execute ransomware with no human interaction required. They found attackers installing a new strain of ransomware dubbed Sodinokibi and also variants of Gandcrab v5.2 (more here: link, link).

The Oracle Weblogic vulnerability (CVE-2019-2725) is easy to exploit and does not require authentication, meaning any of the large number of internet-facing Weblogic servers are fair game for attackers. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8 out of 10, demonstrating both its severity and ease of exploitation. While Oracle released a patch for this vulnerability on April 26, TALOS has reported attacks in the wild since April 17.

Once installed, the Sodinokibi ransomware encrypts files, deletes shadow copies to make recovery more difficult and presents a ransom note. The ransom note provides details on how to make payment of the ransom, which initially amounts to the bitcoin equivalent of approximately US$2,500, however, the ransom amount doubles if not paid in a timely fashion. For some reason, the attackers apparently felt the need, eight hours after the Sodinokibi infection to install Gandcrab v5.2 on the same systems. This might point to the attackers feeling unsure of the reliability of the new Sodinokibi ransomware.

The BluVector Threat Intel Team reverse engineered one of the Sodinokibi samples to extract configuration information. The executing sample was dumped, resulting in a new sample with a compilation date of April 23. 2019. The dumped sample contained a section with the non-standard name of “.bja”. This section appeared to contain binary data, preceded by a potential decryption key. Analyzing the code, the decryption routine was identified and executed in isolation, the output of which was a JSON- formatted configuration file. This configuration file includes a base64-encoded version of the ransom note, the file extension to be added to encrypted files and lists of files and directories to be skipped during the encryption process. Interestingly, the configuration file also contains a list of 1079 seemingly legitimate domain and site names.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector exploits a Weblogic Vulnerability (CVE-2019-2725).

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 50 months prior to their release.

All Threat Reports