Satan Ransomware Variant Exploits 10 Server-Side Flaws
(Dec 10, 2018)
Researchers from NSFocus discovered a new variant of the "Satan" ransomware, dubbed "Lucky," that has been observed to exploit ten different vulnerabilities in Windows and Linux server platforms. The Lucky ransomware is able to propagate within a system without human interaction, and appears to be targeted towards financial services. The vulnerabilities exploited to gain access and propagate include: "JBoss default configuration vulnerability (CVE-2010-0738), a Tomcat arbitrary file upload vulnerability (CVE-2017-12615), a WebLogic arbitrary file upload vulnerability (CVE-2018-2894), a WebLogic WLS component vulnerability (CVE-2017-10271), a Windows SMB remote code execution vulnerability (MS17-010), a Spring Data Commons remote code execution vulnerability (CVE-2018-1273), an Apache Struts 2 remote code execution vulnerability (S2-045), an Apache Struts 2 remote code execution vulnerability (S2-057), and a Tomcat Web admin console backstage weak password brute-force flaw." Many of the vulnerabilities were disclosed within the past few months, which means there are likely many targets who are still susceptible to exploitation.
Recommendation: Threat actors are often observed to use vulnerabilities even after they have been patched since many organisations are slow to updates their systems. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.