Search This Blog

Showing posts with label RDP Flaw. Show all posts

JSWorm: A Notorious Ransomware

 

The ransomware threat environment has been shifting over the last few years. Following the major ransomware outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, many ransomware actors have switched to the covert yet the lucrative strategy of "big-game hunting." The news of ransomware triggering a service interruption at a multinational enterprise has become commonplace. 

Since the discovery of JSWorm ransomware in 2019, numerous variants have gained popularity under various names such as Nemty, Nefilim, Offwhite, and others. As part of each “rebranded” edition, several versions were released that changed various aspects of the code, renamed file extensions, cryptographic schemes, and encryption keys. 

JSWorm is a ransomware variant of the GusCrypter malware family. Its purpose is to extort money from victims by encrypting all personal data and requesting a ransom for the decryption key. It's a member of the GusCrypter clan. JSWorm is typically transmitted via spam email attachments. 

The malware also leaves a ransom note, JSWORM-DECRYPT.html, instructing victims to contact criminals via the NIGER1253@COCK.LI email address if they want their data back. Since JSWorm belongs to a well-known ransomware family, it's possible that the encryption will be permanent. 

Although JSWorm ransomware does not encrypt system files, it does modify your system in other ways. As a result of the altered Windows Registry values, ransomware is launched every time the user restarts the device. These modifications, however, are made after the encryption and ransom demand have been completed. 

JSWorm was available as a public RaaS from its inception in 2019 until the first half of 2020, and it was observed spreading through the RIG exploit kit, the Trik botnet, fake payment websites, and spam campaigns. The public RaaS was closed in the first half of 2020, and the operators turned to big-game hunting. An initial intrusion was discovered thanks to the use of weak server-side applications (Citrix ADC) and insecure RDP access. 

The files are encrypted with a 256-bit key using a custom modification of the Blowfish cypher. The key is generated by concatenating the strings user name, system MAC address, and volume serial number at the start of the programme execution. The content of each of the victim's files is encrypted using a custom version of Blowfish. The encryption is limited to 100,000 bytes, most likely to speed up the encryption of large files. The initial data is overwritten by the encrypted data.

Microsoft Warns Users against BlueKeep RDP Flaw; Immediate Update Advised, Again!






Microsoft has beseeched its users all over again to get their systems updated because as it turns out hackers already have exploits of the BlueKeep RDP flaw, already.


The patch has been fabricated for the “wormable” BlueKeep Remote Desktop Protocol (RDP) vulnerability; therwise the hackers could easily perform a “WannaCry” level attack.

The first warning was sent by Microsoft on May 14 when they’d released a patch for another serious Remote Code Execution vulnerability, CVE-2019-0708.

Successful exploitation of this vulnerability leads to the hacker executing an arbitrary code on the windows machine and installing programs.

 The term “Wormable” refers to the fact that any future malware exploits could contagiously spread from one system to another.

According to sources, this vulnerability is of pre-authentication type and needs no user interaction.

Any attacker who could easily exploit this vulnerability could install programs, edit, and view or delete data and even create new accounts with complete user rights.

Microsoft has a strong hunch that the cyber-cons already have fully developed plans for exploiting the aforementioned vulnerability.

More than a million PCs are susceptible to these wormable, BlueKeep RDP flaws.

A security researcher conducted RDP scan hunting for port 3389 used by Remote Desktop to find potentially and current vulnerable devices.

Major Anti-Virus brands such as Kaspersky, McAfee, Check Point and Malware Tech developed a Proof-of-Concept (PoC) that would use the CVE-2019-0708 to remotely execute the code on victim’s system.


So it happens, numerous corporate networks are under the threat and are still vulnerable more than individuals are as more systems are connected in a single network.

A single compromised system of a corporate network could put the entire organization and its systems in danger.

The compromised device could be used as a gateway and as it’s a “wormable” attack it could easily propagate across networks.

The most the users could do is keep their systems updated and their security as tight as possible as future malware could also try hacking back in.

Solutions
·      Update systems as soon as possible
·      Block Remote Desktop Services if they are not in use
·      Block TCP port 3389 at the Enterprise Perimeter Firewall
·      Apply the patch to the vulnerable systems and devices that have RDP enabled