Sodinokibi Ransomware – Exploiting WebLogic Server Vulnerability

Ransomware New
Ransomware New

Cyber attackers are exploiting a WebLogic vulnerability to install a new Sodinokibi Ransomware. Cisco Talos Intelligence group explains in their blog.

What is Sodinokibi Ransomware?

Sodinokibi attempts to encrypt data in a user’s directory and delete shadow copy backups to make data recovery more difficult.

Sodinokibi Ransomware could be spread through email attachment or form malicious link and exploit WebLogic server vulnerability.

Once the attackers found a vulnerable server, they sent an HTTP POST request that request contained a PowerShell command to execute the ransomware file.

Sodinokibi Ransomware Encrypt
                                                   Image by Cisco

After the downloaded, the ransomware encrypt the systems and asked a ransom to victim. It is redirect to a page on the TOR network domain, which was registered on 31st March 2019.

Last week Oracle patched the Weblogic zero day vulnerability and assigned CVE-2019-2725. This Security Alert was released in response to a recently-disclosed vulnerability affecting Oracle WebLogic Server. This vulnerability affects a number of versions of Oracle WebLogic Server and has received a CVSS Base Score of 9.8. WebLogic Server customers should refer to the Security Alert Advisory for information on affected versions and how to obtain the required patches.

Cisco’s Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi Ransomware.

Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. This was a trial to see whether the server was exploitable.

On April 26, 2019, the attackers made an HTTP connection to a different vulnerable server, requesting the AsyncResponderService of the Oracle WebLogic Server.

“After finishing deploying Sodinokibi ransomware inside the victim’s network, the attackers followed up with an additional CVE-2019-2725 exploit attempt approximately eight hours later. However, this time, the attackers chose to distribute Gandcrab v5.2.

Researchers find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.”

According to Threatpost, the Researchers also noted that, once downloaded, the malicious file executed ​vssadmin.exe, a legitimate utility bundled with Windows that enables allows administrators to manage the shadow copies that are on the computer. Shadow copies are a technology that enables systems to take automatic backup copies of computer files.

Because attackers executed this feature, it allows them to access and delete the automatic backups – making it harder for victims to recover their data: “This action​ is a common [tactic] of ransomware to prevent users from easily recovering their data,” researchers said. “It attempts to delete default Windows backup mechanisms, otherwise known as ‘shadow copies,’ to prevent recovery of the original files from these backups.”

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

5 Tips to Keep Private Information Safe on Social Media

Social media is an excellent means of staying connected with friends regardless...
Read More

Leave a Reply