Three new exploits have been added to the source code of two-year-old Satan Ransomware to expand its capabilities of spreading through public and private networks. The exploits that have been added target Spring Web application framework, the ElasticSearch search engine, and ThinkPHP Web application framework. The specific vulnerabilities are listed as Spring Data REST Patch Request (CVE-2017-8046), ElasticSearch (CVE-2015-1427), and ThinkPHP 5.X Remote Code Execution, which does not have an assigned CVE. Along with the new vulnerabilities, the ransomware had previously been seen taking advantage of the following flaws: JBoss default configuration vulnerability (CVE-2010-0738), Tomcat arbitrary file upload vulnerability (CVE-2017-12615), WebLogic arbitrary file upload vulnerability (CVE-2018-2894), WebLogic WLS component vulnerability (CVE-2017-10271), Windows SMB remote code execution vulnerability (MS17-010), Spring Data Commons remote code execution vulnerability (CVE-2018-1273). Researchers explain how the new variant applies a multi-threading technique as well as IP address traversal by stating, “It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list. To be more efficient, it implements multi-threading, in which separate threads are spawned for every propagation attempt for every targeted IP and port.” If the Windows component is selected and the port number is 445, the EternalBlue exploit is used. For it to perform SSH credential stuffing they must use port 22. The malware has a hardcoded list it will use with this attack. Web application exploits are then used if neither of the two ports are found or utilized.
Analyst Notes
Users who could be susceptible to this ransomware should think about implementing an antivirus program that is up-to-date. Files should be backed up regularly as well. Flash should also be disabled as it is commonly used to deploy malicious entities.
