Gandcrab Ransomware Exploits Website Vulnerabilities

  /     /     /  
Publicated : 22/11/2024   Category : security


Gandcrab Ransomware Exploits Website Vulnerabilities


Researchers find campaigns distributing Gandcrab by hosting malware on legitimate websites with poor security measures.



Cryptominers may have stolen the spotlight as cybercrimes hottest new trend, but it doesnt mean we can stop paying attention to ransomware. Researchers at Cisco Talos detected a new batch of Gandcrab ransomware being distributed through legitimate but poorly secured sites.
Gandcrab, among the newest threats in the ransomware space, started as a simple attack and quickly
evolved
as its authors adapted to security defenses. In the first two months of 2018, attackers infected more than 50,000 victims and generated more than $600,000 for attackers. This threat spreads via spam campaigns and exploit kits including Rig and Grandsoft.
Talos researchers were analyzing a recent spam campaign when they found a series of compromised sites delivering Gandcrab and continued to identify four separate campaigns over the period of one week. The first started on April 30 and was disguised as an online order. An attached ZIP file has a Word document that downloads and executes the ransomware. Emails contained either VBScripts or ZIP files but always delivered the same result.
An interesting part of this campaign is the tools used to download Gandcrab. There are several ways to do this with macros, but attackers chose to use certutil.exe, a command line utility installed as part of Certificate Services. The use of certutil demonstrates how adversaries are seeking new and effective ways to download malware onto targets machines, says Talos threat researcher Nick Biasini.
A couple of days later, the second campaign arrived. Its subject, bodies, and attachments were very similar to those in the first; however, the location of where the payload was hosted had changed. Researchers looked at the DNS and noticed it was delivered from a legitimate site, which was running phpMyAdmin and had multiple MySQL flaws and default credentials. The website was taken down shortly after this was discovered, researchers say in a
blog post
.
The third campaign was found downloading Gandcrab from an out-of-date WordPress site riddled with vulnerabilities. The fourth leveraged the same website, highlighting another trend. Sometimes attackers return to the same site, even after it has been taken down. This pattern shows attackers arent putting much effort into making their campaigns unique.
Biasini says this distribution of Gandcrab highlights a major problem for businesses: website compromise. Many of the Web pages on the Internet are running on antiquated software and most small businesses dont know a new flaw has been released. Even if they did, they dont have the expertise or time to update the software they rely on.
It is increasingly easy to create a website based on a lot of the Web frameworks like WordPress, Joomla, and Drupal, among others, he explains. The challenge is that most people creating and hosting a small-business website arent aware that the software needs to be updated and secondly may not have the knowledge or time to undertake such an endeavor.
Each of these platforms has some form of remote management, Biasini continues. Average employees dont realize this portal needs to have strong credentials and, ideally, have the administrative page restricted to the specific IP address space. These exposed admin pages with weak credentials are easily compromised by far more sophisticated adversaries, he notes.
Attackers will continue to leverage compromised websites because they save time and money related to domain registration, buying VPS, and configuring the server to host files. They also inherit the sites reputation, which can help with slipping past blacklisting systems.
This specific version of Gandcrab is generating a discussion around how often the malware is updated, and its creators active participation in developing new iterations of it. They are continually making changes and updates to this ransomware, says Biasini.
Businesses can protect themselves by patching their software, including any and all plug-ins that could be used on the site. Beyond that, he recommends securing admin portals on the pages and implementing strong passwords. In a brute-force attack, weak passwords could lead to compromise and grant the attacker access until the authentication is updated.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Gandcrab Ransomware Exploits Website Vulnerabilities