Sodin ransomware enters through MSPs

July 4, 2019

At the end of March, when we wrote about a GandCrab ransomware attack on an MSP’s clients, we figured it was unlikely to be an isolated case.  Managed service providers are just too tempting a target for cybercriminals to ignore.

It appears we were right. In April, ransomware dubbed Sodin captured our experts’ attention. It differed from the others in that in addition to using gaps in MSPs’ security systems, it also exploited a vulnerability in the Oracle WebLogic platform. And whereas it’s typical for ransomware to require a user’s involvement (for example, the victim would need to launch a file from a phishing letter), in this case, no user participation is needed.

Managed service providers are just too tempting a target for cybercriminals to ignore.

You can read about the technical details of this ransomware in this Securelist post. From our point of view, the most interesting thing about this malware is its means of distribution.

Sodin distribution methods

For purposes of spreading the malware through WebLogic, attackers used the CVE-2019-2725 vulnerability to execute a PowerShell command on a vulnerable Oracle WebLogic server. Doing so allowed them to upload a dropper to the server, which then installed the payload — the Sodin ransomware. Patches for the bug were released back in April, but at the end of June a similar vulnerability was discovered — CVE-2019-2729.

In attacks using MSPs, Sodin gets onto users’ machines in different ways. Users of at least three providers have already suffered from this Trojan. According to this story on DarkReading, in some cases the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In other cases, as described on Reddit, the attackers penetrated MSP infrastructure using an RDP connection, elevated privileges, deactivated security solutions and backups, and then downloaded ransomware to client computers.

What service providers should do

For a start, take seriously the storing of passwords for remote access to anything, and use two-factor authentication wherever possible. Remote consoles for both Kaseya and Webroot support two-factor authentication. Furthermore, after the incident, developers began to mandate its use. As we can see, the attackers who distribute Sodin do not wait to stumble on opportunity; they purposefully look for         various methods of distributing malware through MSP providers. That’s why it is necessary to look carefully at all other tools used in this sphere. RDP access, as we’ve said time and again, should be used only as a last resort.

MSPs, and especially those that provide cybersecurity services, should take protection of their infrastructure even more seriously than their client infrastructure. Here is what Kaspersky can offer MSPs to protect themselves and their clients.

What other companies should do

Of course, updating software remains a critical job. Malware getting into your infrastructure through vulnerabilities discovered and closed months ago is an embarrassing example of an obviously unforced error.

Companies using Oracle WebLogic should first familiarize themselves with Oracle Security Alert Advisories for both vulnerabilities — CVE-2019-2725 and CVE-2019-2729.

And it is also wise to use reliable security solutions with subsystems that are able to detect ransomware and protect workstations from it.