At a glance.
- New ransomware strain implements "intermittent encryption."
- Mirai variant exploits WebSVN vulnerability.
- RCE flaw affects network video recorders.
New ransomware strain implements "intermittent encryption."
Researchers at Sophos describe "LockFile," a new ransomware strain that exploits the ProxyShell vulnerabilities in Microsoft Exchange servers. The researchers note that the malware employs a new tactic which they dub "intermittent encryption," in which the malware encrypts every other 16 bytes. As a result, the file will remain partially unencrypted, but will generally be unusable in practice. The purpose of this technique is to fool security technologies:
"The notable feature of this ransomware is not the fact that it implements partial encryption. LockBit 2.0, DarkSide and BlackMatter ransomware, for example, are all known to encrypt only part of the documents they attack (in their case the first 4,096 bytes, 512 KB and 1 MB respectively,) just to finish the encryption stage of the attack faster.
"What sets LockFile apart is that is doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable. There is an intriguing advantage to taking this approach: intermittent encryption skews statistical analysis and that confuses some protection technologies."
Mirai variant exploits WebSVN vulnerability.
Palo Alto Networks' Unit 42 has observed exploits for a command-injection vulnerability (CVE-2021-32305) in WebSVN, an open-source application for searching through source code. The exploits are being used to deploy a new variant of the Mirai malware:
"Analysis of this malware reveals that it is used to perform distributed denial of service (DDoS) attacks and that it shares some of its code with the Mirai botnet family. To reduce the size of the executable files, each one is compressed with a modified version of the popular open-source packer, UPX. Because the packer is modified, it is less likely for reverse engineering tools to succeed in automatically unpacking the executable files, requiring more manual effort for analysis. Additionally, the malware achieves portability by statically linking all of its dependencies and making system calls directly inside the code.
"After the malware is executed, it continuously tries to connect to its command and control (C2) server on port 666. Once it establishes a connection, it communicates using a custom text-based TCP protocol. It begins by informing the C2 of its architecture, and then it awaits commands from the operator."
Unit 42 urges users to update to the patched version of WebSVN.
RCE flaw affects network video recorders.
Nozomi Networks has discovered a remote code execution vulnerability affecting Annke N48PBB network video recorders (NVRs) that could allow attackers to access security camera footage or shut down the cameras. The researchers explain that they originally identified a memory corruption issue which led to the discovery of more serious flaws:
"As the search functionality is accessible by all users of the device by default, the vulnerability could be exploited (on unpatched NVRs) directly by malicious operators, or users, to elevate their privileges on the system.
"Furthermore, as no anti-CSRF (Cross-Site Request Forgery) mitigations were found in the functionality, the vulnerability could be exploited indirectly by external attackers in “drive-by download” attacks. It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself."
Annke has released a firmware patch for the flaw eleven days after being notified, which Nozomi Networks says "is a notably fast response time, and we applaud Annke for it." The US Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory on the vulnerability.