Bad actors found a serious way to misuse the CVE-2019-2725 vulnerability
There are numerous vulnerabilities manipulated by bad actors in various ways. However, this time criminals found a way to misuse a security flaw in the web server of one of the largest vendors in the enterprise IT market and install a newly discovered ransomware Sodinokibi and also another dangerous malware strain, known as Gandcrab ransomware v5.2.
The server which was misused belongs to the famous Oracle WebLogic which has thousands of users worldwide. While Oracle has already released a patch for the vulnerability which is alternatively recognized as CVE-2019-2725, cybercriminals had more than a week to exploit it according to their needs – the malicious activity was spotted by cybersecurity experts on April 26th, while the flaw was misused since the April 17th.
What gives the vulnerability a severity score of 9.8/10 is that it is very easy to manipulate. Any user who has HTTP access to the Oracle WebLogic server has the possibility of launching an attack:
This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.
Sodinokibi deletes files' Shadow Volume Copies and demands a ransom of $2500
Talking about Sodinokibi ransomware, it is a dangerous form of malware that can start running on the targeted system without requiring any user response. Usually, ransomware infections appear on the system when a user clicks on the infectious hyperlink or opens a malware-laden spam email attachment. However, this case is different.
The vulnerability allows hackers to automatically launch and run the malicious payload on victims' computers. Once this happens, Sodinokibi starts encrypting files by adding the .p67867 appendix and displaying this type of ransom message:
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got p67867 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/[id] Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/[id] Page will ask you for the key, here it is: [key]
However, this is not all that Sodinokibi ransomware does. After an investigation, experts discovered that once files are locked by using unique encryption ciphers, the malware erases all Shadow Volume Copies of affected files permanently which is done to disable other decryption methods. Nevertheless, crooks urge for a ransom amount up to $2500 and doubles the price to $5000 if no signs of contact are shown in two-six days.
Gandcrab v5.2 is installed on the infected computer system after eight hours since Sodinokibi installation
Another interesting thing about this malware package is that it not only distributes Sodinokibi ransomware but also infects the targeted system with the widely-known Gandcrab v5.2. This happens after eight hours once Sodinokibi installs on the machine. Users have to face the consequences of two ransomware infections at a time.
Cybersecurity specialists find this news a little bit triggering as they admit that no bad actor has ever used one attack for distribution of two ransomware viruses. Some speculations say that Sodinokibi was not beneficial enough so the hackers decided to spread Gandcrab v5.2 and collect more revenue from this threat instead.