Security Bulletin #131 – 20 June 2017
Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back
South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them. This happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files. However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted. According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities. Since the hosting servers were running on Linux kernel 188.8.131.52, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system. Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with an .ecrypt extension before displaying the ransom note. The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key. According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.
Rufus malware targets outdated OS ATMs in India
Many security firms and law enforcement agencies are warning of malware-based attacks against ATM. Recently 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe. Last threat spotted in the wild is the Rufus malware, it is a Chinese malicious code that could be used to compromise ATMs. Indian authorities have observed numerous cyber-attacks leveraging this threat. The Rufus malware could be used to hack only ATMs running outdated software, all the ATMs targeted by crooks were found to be still using the old versions of Windows XP. The crooks use to target unguarded ATMs nighttime, they infect the system with a pen drive that is inserted into the USB port. Once the malware has infected the ATM, it would restart the system interrupting the connection with the service provider’s servers. The Rufus malware generates a code after it infected the system, the code is then sent back to the crooks that convert it into a password. Every time the password is entered, the ATM releases the money.
Pinkslipbot banking Trojan exploiting infected machines as control servers
Security researchers at McAfee Labs have spotted a new strain of the Pinkslipbot banking malware (also known as QakBot/QBot) that leverages UPnP to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine even if they are behind a network address translation (NAT) router. Qbot, is a data stealer worm with backdoor capabilities, it is used to recruit infected machines in a credential-harvesting botnet. Experts noticed that Pinkslipbot uses UPnP to provide the path to the targets, it infects machines that provide HTTPS servers from IP addresses listed in the malware. These machines serve as HTTPs proxies that route the path to an additional layer of HTTPs proxies, this technique allows masquerading the IP address of the real C&C server. Once detected available ports, the malware infects a machine behind the firewall and establish a permanent port mapping to route the traffic, and works as a C&C proxy. Infected machines at the first level of proxy use the libcurl library to pass information to the second-layer which then route the traffic to the “real” C&C servers. To prevent Pinkslipbot infection users should “keep tabs on their local port-forwarding rules” and should turn UPnP off if they don’t need it.