Welcome to our weekly recap! KNOW, Netenrich’s threat intel platform and cybersecurity news aggregator, has identified Sodinokobi, HAFNIUM, and CVE-2021-22986 as the most trending malware, threat actor, and vulnerability.
Sodinokibi – Malware Of The Week
Sodinokibi, also known as ‘REvil’, is a ransomware-as-a-service (RaaS) model discovered in April 2019. Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns. Sodinokibi encrypts a user’s files and can gain administrative access by using a vulnerability in Oracle WebLogic CVE-2019-2725.
Shortly after the retirement of the GandCrab malware, the Sodinokibi came out. As per researchers, there are several similarities between the two malware. Sodinokibi captured everyone’s attention in May 2019 when they exploited an Oracle Zero-Day flaw and encrypted files on the target system. The hackers demanded a $2,500 ransom. If the victims miss the initial deadline, the ransom would then double to $5,000. The interesting thing to note here is that the Sodinokibi tries to avoid infecting computers from Iran, Russia, and other countries that were formerly part of the USSR.
Why is Sodinokibi Trending?
Taiwanese electronics and computer maker Acer was attacked by the Sodinokibi (REvil) ransomware. The hackers accessed financial spreadsheets, bank balances, and bank communications, reportedly compromising its network via a Microsoft Exchange server vulnerability (more on this in a bit).
The ransomware gang has announced the hack on their data lead site, saying and asked for a massive $50 million ransom. This is the largest known ransom in history. Regarding the story, Acer said:
“Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”
Sodinokibi Trends From KNOW
- Total references: 24,000
- Last 60 days: 2,000
- Previous 7 days: 1,000
Sodinokibi Context From KNOW
- Related IPs: 3
- Hashes: 329
- Industries Targeted: Education, Healthcare, Telecommunications, Banking, Finance, and Food & Beverage
- Vulnerabilities: CVE-2018-8453, CVE-2019-2725, CVE-2019-19781, and CVE-2019-11510.
- Threat Actors: Carbank and Gold Southfield.
HAFNIUM – Threat Actor Of The Week
Hafnium is a highly sophisticated threat actor group from China. The Group had been exposed by Microsoft in March 2021 and is notable in targeting US entities for Data Exfiltration from several industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Hafnium primarily targets Microsoft Exchange Servers.
It gains access to any exchange server by using stolen passwords or by exploiting any vulnerabilities. It then would create a web shell to control the compromised devices remotely. For this, the Group uses US-based VPS servers to conduct data exfiltration. Exfiltrated contents are passed to popular file-sharing site MEGA.
Why Is HAFNIUM Trending?
Reports came out that HAFNIUM and four other hacking groups have been exploiting Microsoft’s business email servers. HAFNIUM targets entities in the US across industry sectors like infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
As per a research report released by Microsoft:
“HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”
HAFNIUM References From KNOW
- Total references: 2,000
- Last 60 days: 2,000
- Previous 7 days: 265
Twitter Reacts To HAFNIUM
Lots of Exchange servers still vulnerable. Especially in North America and West Europe. Check out my livestream from last friday for more details: https://t.co/ex6dNHm8UL #HAFNIUM #DearCry pic.twitter.com/vPxSReYTai
— Maarten Goet (@maarten_goet) March 22, 2021
ICYMI: Find out what you need to know about the Microsoft Exchange Server attacks, including how Symantec stops them, and details on some post-compromise activity. Read now: https://t.co/SQBWWCgvTn #ProxyLogon #HAFNIUM pic.twitter.com/f8xVntIdPP
— Threat Intelligence (@threatintel) March 17, 2021
CVE-2021-22986 – Vulnerability Of The Week
CVE-2021-22986 hit the news lately when F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
These vulnerabilities include:
- CVE-2021-22986
- CVE-2021-22987
- CVE-2021-22991
- CVE-2021-22992
The most critical one is CVE-2021-22986, and it can be exploited for unauthenticated, remote code execution attacks. F5 discovered two attack vectors that attempted to execute code on the vulnerable server.
- The first one is an attack chain that contains an SSRF attack and attempts to gain an authenticated session token as the first level, followed by remote command execution as the second level.
- The second vector is a remote command execution (RCE) that targeted the “mgmt/tm/util/bash” URL, which allows an authenticated user to execute commands using the ‘utilCmdArgs’ parameter.
Twitter Reacts To CVE-2021-22986
F5 urges customers to patch 4 critical BIG-IP pre-auth RCE bugs – @sergheihttps://t.co/1CyGdEejWw
— BleepingComputer (@BleepinComputer) March 10, 2021
NEW: Threat actors have begun attacks against F5 networking devices using recent major bug (CVE-2021-22986 — unauth RCE in a management API)https://t.co/ACA9FlBe2x pic.twitter.com/qsGjQHHDw9
— Catalin Cimpanu (@campuscodi) March 19, 2021
What is KNOW?
KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now.
One of KNOW’s handiest tools is the trending threats dashboard, which gives you a bird’s eye view of the most potent malware, threat actors, methods, and vulnerabilities in the following time frames:
- Last 7 days.
- Last 60 days.
So, want to check out KNOW some more? Why don’t you sign up? It’s completely free.
Subscribe To Our Newsletter!
The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.
Thank you for subscribing!