Ransomware operators try out new scare tactics

New ransomware tactic targets victim’s customers

Ransomware operators continue to look for new tactics to force their victims into paying. Earlier this year, we reported on multiple ransomware groups using DDoS attacks against ransom victims as an additional tactic to force payment. Before that, we talked about the trend towards extortion by leaking stolen data. More recently, groups such as CL0P have begun sending emails directly to customers and partners of their victims using email addresses extracted from stolen data and warning them that their data will be leaked if the targeted company does not pay the ransom.

Double extortion tactics have become standard operating procedure for many ransomware operators. Once they gain a foothold in an environment, they steal all the data they can before encrypting and ransoming files. Then, they demand a ransom to decrypt files and threaten to leak stolen data to the public. CL0P has also been known to sell stolen data such as customer names, social security numbers, and other personally identifiable information.

CL0P, in particular, has ramped up its operations in 2021 and seems to be targeting multiple vulnerabilities in Accellion FTA that were patched December 2020 and January 2021, specifically 2021-271012021-271022021-27103, and 2021-27104.

This group continues to explore new tactics for forcing payments from their victims. In recent attacks targeting jet maker Bombardier and RaceTrac Petroleum, the CL0P group sent emails to their customers and partners like the following:

“Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim] The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”

“We inform you that information about you will be published on the darknet [link to dark web victim-shaming page] if the company does not contact us. Call or write to this store and ask to protect your privacy!!!!”

It is apparent that CL0P is hoping to put additional pressure on its victims. Some data suggests REvil may begin using this tactic as well. REvil has recently begun using DDoS and making VOIP calls to victims’ partners to pressure victims into paying.

Unfortunately, even if victims choose to pay the extortion demands, there is no guarantee their data will be deleted, and often, the data is leaked anyway.

Perch has multiple signatures in place to detect attacks against vulnerabilities in Accellion FTA, which has been the primary target for the CL0P ransomware group in 2021.

New Exchange zero-days on the horizon

This week (April 6-8) was the 14th annual Pwn2Own competition sponsored by the Zero Day Initiative, one of the most well-known security contests in the industry. This competition has grown steadily over the past 14 years and focuses on zero-day exploits and responsible disclosure, with large cash prizes being given to the winner.

For example, one target this year is a brand-new Tesla Model 3, and the top prize is $600,000 in cash plus the car itself.

This year, they added Microsoft Exchange and SharePoint to the list of targets in the server category. On the first day of the event, the Devcore team was able to achieve remote code execution on a fully patched Exchange server using an authentication bypass and local privilege escalation. Team Viettel was also able to take over the Exchange server, though it looks like they used at least some of the same exploits. Next begins the responsible disclosure process and, hopefully soon, patches by Microsoft.

Some other products that have been exploited this year include Microsoft Teams, Windows 10, Apple Safari, Oracle VirtualBox, and Zoom Messenger.

In the meantime, we know there are still zero-day vulnerabilities in Exchange that can lead to remote code execution. In line with responsible disclosure, details regarding the exploits will not be made available until after Microsoft has had a chance to patch.

There is no evidence that these exploits are being used in the wild, and we’re hoping we don’t see a repeat of the craziness March brought with Proxylogon.

Backdoor uploaded to official PHP Git repo

Last week (Mar 27), two malicious commits were pushed to the official PHP Git repository. The code injected a backdoor capable of remote code execution (RCE) on any website running the malicious version of PHP. This could potentially have turned into a significant worldwide compromise as 79% of all websites are currently built with PHP. Fortunately, the malicious commits were detected within hours as part of routine code review and were promptly reversed.

The malicious commit was made in the name of PHP creator Rasmus Lerdorf and was initially believed to indicate the official Git server, git.php.net, was compromised. The PHP project promptly decided to make the GitHub repo, which was previously just a mirror of git.php.net, the official repository, while they continued their investigation.

This week (Apr 6), Nikita Popov, one of the PHP maintainers, released additional information obtained during their investigation. According to Popov, “We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked.” He then detailed that there is no direct evidence that the user database from master.php.net had been compromised; however, the commits in question were made using HTTPS and password authentication. Additionally, “the master.php.net system, which is used for authentication and various management tasks, was running very old code on a very old operating system/PHP version, so some kind of vulnerability would not be terribly surprising.”

In response to this new information, master.php.net has been migrated to a new system named main.php.net, additional security has been added to the way passwords are stored, and all existing passwords have been reset.

Since this incident was discovered and remediated quickly, there is little impact to the larger PHP community. Most websites using PHP would use the local version distributed with their operating system’s package manager. These PHP versions would be production versions that have gone through rigorous testing rather than compiled directly from the development version. The only systems that would be infected would be any that downloaded and compiled the latest development version from Git within the couple of hours the issue remained unnoticed. Overall, this is a good reminder to perform regular code reviews.

- Bryson Medlock, the Dungeon Master