Sophos’ research on “Cring Blackmail Virus Exploits Ancient ColdFusion Server” after a hacked server running Adobe ColdFusion 9, version 11 years ago, was hacked
The target used the server to collect time and attendance data for payroll accounting and hosted a number of virtual machines on it. Attackers hacked the Internet-connected server in minutes and launched the extortionist virus 79 hours later.
“Devices running vulnerable, outdated software are an ideal vulnerability for digital attackers looking for an easy way to towards the destination. ” said Andrew Brandt, senior researcher at Sophos. “The Cring extortion virus is not new, but not very common. The incident we investigated was targeted at a service company, and access to the network required only an Internet-connected machine running old, outdated, and unrepaired, out-of-date software. The surprising thing is was that this server was in active daily use.The most vulnerable devices were often inactive or “ghost” machines that were either forgotten or ignored during the installation of patches and updates.
“However, regardless of condition – whether they are in use or inactive – Internet-connected servers or other devices without repair or upgrade are the primary targets for cybercriminals who scan the company’s attack surface for vulnerabilities. This is a very significant reminder that it is an advantage for IT administrators to have an accurate inventory of all their network devices and not to leave business-critical Internet-related systems obsolete. If organizations have such devices anywhere on their network, they can be sure that they will attract digital attackers. Don’t make life easier for cybercriminals! ”
Sophos’ analysis shows that attackers launched by scanning the target’s website with automatic tools and were able to break into the network within minutes after detecting that an unpatched A version of ColdFusion is running on a server.
Sophos found that after the initial intrusion, attackers used rather sophisticated techniques to hide their files, inject code into memory, and remove traces of them. or deleted logging and other tools that could have been used by threat hunters in an investigation.The attackers were also able to deactivate the security devices because the self-defense features were turned off.
The attackers left behind a a ransom demand message stating that data had also been obtained during the attack that were “ready to be leaked, if we could not do a good deal. “
Sophos recommends the following best practices for combating Cring and other types of extortion viruses and similar cyber-attacks:
At the strategic level :
- Use of multi-layer protection. As more and more extortion virus attacks include blackmail with secondary, stolen data, backups are still necessary but not sufficient. It is more important than ever to keep attackers away or to detect them quickly before they can cause damage. Use multi-layered protection to block and detect attackers anywhere in your entire network
- A combination of meat-and-blood experts and anti-extortion technologies. The key to stopping blackmail viruses is in-depth protection, which combines dedicated anti-blackmail virus technology with human-led threat research. Technology provides the scale and automation a organization needs, while human experts are best at discovering telltale tactics, techniques, and procedures that indicate that an attacker is trying to enter the environment. If organizations do not have the right expertise in-house, they can also seek the support of cyber security specialists.
At a daily tactical level:
Monitor and react to alarms! Ensure that the appropriate tools, processes, and resources (people) are available to monitor, investigate, and respond to threats detected in the environment. Opponents behind the extortion virus often schedule their attacks outside of peak hours for hours, weekends or holidays, based on the assumption that smaller staff are watching the network or no one at all.
- Set strong passwords and ensure their proper use! Strong passwords are one of the first lines of defense. Passwords must be unique or complex and should never be reused. This is easier to achieve with a password manager that can store staff credentials.
- Use multi-step authentication (MFA)! Even strong passwords can be compromised. Any form of multi-step authentication is better than anything that can provide access to critical resources, such as email, remote management tools, and network devices.
- Close download the available services! Scan the network from the outside, identify and close the ports that are typically used by VNC, RDP or other remote access devices. If a machine needs to be accessible with a remote control device, place the device behind a VPN or a zero-trust network access solution that uses multi-step authentication as part of the login.
- Practice segmentation and the zero-trust principle! Separate critical servers from each other and from workstations by placing them on separate VLANs while working to develop a zero-trust network model.
- Build offline backups of information and applications! Keep your backups up to date, make sure they can be restored, and make an offline copy!
- Inventory your devices and accounts! Unknown, unprotected, and unrepaired devices on the network increase the risk and create a situation in which malicious activities can go unnoticed. It is vital to have an up-to-date inventory of all digital devices connected to the network. Use network scanners, IaaS devices, and physical scanning to locate and enumerate them, and install endpoint security software on all unprotected machines
- Make sure that the security devices are configured correctly! Improperly protected systems and devices can also be vulnerable. It is important to make sure that your security solutions are properly configured and that you check and, where necessary, regularly enforce and update security policies. New security features are not always activated automatically. Do not disable self-defense features or create wide-ranging detection exceptions, as this will make it easier for attackers.
- Audit Active Directory (AD)! Perform regular audits of all AD accounts to make sure none have more access than is necessary for your purpose. Disable outgoing employee accounts as soon as they leave the company
- Patch everything! Keep Windows and other operating systems and software up to date. It also means double-checking that patches are properly installed and in place on critical systems, such as machines or domain controllers that can be accessed from the Internet. In the incident presented here, support for the server’s Adobe ColdFusion 9 software and the Windows 2008 operating system running under it has already been discontinued by both manufacturers, which means that no software updates have been received.
Sophos endpoint products detect the Cring extortion virus executable as Troj / Ransom-GKG and Cobalt Strike beacons as AMSI / Cobalt-A. The PowerShell commands used to load beacons are detected as Troj / PS-IM
Hardware, software, tests, curiosities and colorful news from the IT world by clicking here