Extortion attacks have taken off in recent years thanks to the anonymity of digital currencies such as Bitcoin, posing a serious threat to businesses and individuals. Ali Cloud security center found that the recent extortion attacks on the cloud continue to occur, extortion attacks are gradually becoming the mainstream way of hacker cash.
1. Data analysis of recent extortion behavior
1. Cloud host being extorted rose
Ali cloud security center found that the recent successful ransomware attack host number continued to rise. There are three main reasons for the rising trend of extortion incidents:
- A growing number of ransomware viruses incorporate rich attack modules that are not just traditional attackers of weak passwords, but self-propagating, cross-platform and worm capabilities, such as Lucky, Satan, and others.
- The diversity of tenant services in the cloud environment and the increasingly complex business scenarios constantly enlarge the basic attack surface presented to hackers by users and constantly face the threat of vulnerabilities.
- Enterprise security awareness is insufficient, do not do password management and access control, so hackers can take advantage of the opportunity.
The following chart shows the trend of successful ransomware attacks over the last six months:
Mainstream ransomware families such as Crysis, GrandCrab and Lucky are active, and other ransomware families are also growing in size, leading to an increase in ransomware infections. Below is the percentage of extortionist families captured in the cloud:
2. Extortion attacks can be tracked
Based on the analysis of recent intrusion data, Ali Cloud Security Center found that the attackers mainly invaded and implanted ransomware through security configuration defects and vulnerability utilization of cloud hosts. No new intrusion methods have been found so far.
1) Weak password blasting. By blasting weak passwords such as 22, 445, 135, 139, 3389, 1433, obtain service permissions.
SSH/RDP brute force cracking continues to be active. SSH and RDP services are the remote management portals of Linux/Windows cloud server operating systems. Hackers and botnets have long been concerned about SSH and RDP services. The attacks mainly focus on weak passwords and are brute force cracking.
The following figure shows the statistics of high-risk user names:
Statistical results show that root/ Administrator are the two most important user names for brute force cracking. These two user names undoubtedly cover the most coverage for various Linux/Windows systems, and weak password cracking is cost-effective.
The dictionary of brute force passwords commonly used by ransomware is as follows:
PASSWORD_DIC = [
”,
‘123456’,
‘12345678’,
‘123456789’,
‘admin123’,
‘admin’,
‘admin888’,
‘123123’,
‘qwe123’,
‘qweasd’,
‘admin1’,
‘88888888’,
‘123123456’,
‘manager’,
‘tomcat’,
‘apache’,
‘root’,
‘toor’,
‘guest’
]
2) Exploit loopholes
Due to the particularity of tenant services in the cloud environment, Web services have long been the main force point of public cloud threats, and the number of attacks accounts for about 47% of basic attacks and defenses. These Web vulnerabilities are rapidly integrated into the Arsenal of botnets and ransomware and spread in the Internet. Ali Cloud Security center analyzes vulnerable Web services on the cloud and identifies the Web services that users need to focus on for security hardening.
Lucky ransomware, which has been active in the cloud recently, integrates a large number of CVE attack components, making it very capable of spreading horizontally. Attacks are mainly carried out using the following vulnerabilities:
JBoss Deserialization Vulnerability (CVE-2017-12149) JBoss Default Configuration Vulnerability (CVE-2010-0738) Tomcat Arbitrary File Upload Vulnerability (CVE-2017-12615) Tomcat Web Management Console Background weak password violence attacks WebLogic Arbitrary File Upload Vulnerability (CVE-2018-2894) WebLogic WLS Component Vulnerability (CVE-2017-10271) Apache Struts2 Remote code Execution Vulnerability (S2-045, S2-057, etc.) Spring Data Commons Remote Code Execution Vulnerability (CVE-2018-1273) Nexus Repository Manager 3 Remote Code Execution Vulnerability (CVE-2019-7238) Spring Data Commons Component Remote Code Execution Vulnerability (CVE-2018-1273)
3. Databases can also be blackmailed
It is worth noting that Ali cloud security center in March found a successful database extortion event, attackers through blasting phpMyadmin intrusion database, and delete data in the database for extortion.
The attacker deletes all data and leaves a ransom message demanding payment in exchange for missing data:
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+ 00:00";
CREATE DATABASE IF NOT EXISTS `PLEASE_READ_ME_XMG` DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
USE `PLEASE_READ_ME_XMG`;
CREATE TABLE `WARNING` (
`id` int(11) NOT NULL,
`warning` text COLLATE utf8_unicode_ci,
`Bitcoin_Address` text COLLATE utf8_unicode_ci,
`Email` text COLLATE utf8_unicode_ci
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
INSERT INTO `WARNING` (`id`, `warning`, `Bitcoin_Address`, `Email`)
VALUES (1, 'To recover your lost data : Send 0.045BTC to our BitCoin Address and Contact us by eMail with your server IP Address or Domain Name and a Proof of Payment. Any eMail without your server IP Address or Domain Name and a Proof of Payment together will be ignored. Your File and DataBase is downloaded and backed up on our servers. If we dont receive your payment,we will delete your databases.'.'1666666vT5Y5bPXPAk4jWqJ9Gr26SLFq8P'.'[email protected]');
ALTER TABLE `WARNING`
ADD PRIMARY KEY (`id`);
Copy the codeIn case of database deletion extortion, the Cloud Security Center strongly recommends that the victim verify that the attacker actually owns your data and can recover it before paying the ransom. In the attacks we monitored, we were unable to find any evidence of dump operations or data leaks.
Second, cloud security center: let extortion attack no hiding
In order to deal with thorny ransomware attacks and ensure the security of enterprises and individuals’ assets on the cloud, Ali Cloud Security Center builds multidimensional security defense lines to form a security closed-loop, so that all attacks can be traced and threats can be drilled seamlessly.
1. Safety prevention and testing
Before hackers invade, Ali Cloud security center finds potential vulnerability risks through vulnerability management, and passes baseline check and one-click check of weak passwords and other security compliance configurations.
During hacker attacks, the cloud security center uses threat modeling and data analysis to proactively discover and record hacker attack links and timely remind users of security hardening and vulnerability repair. Therefore, users are advised to build security lines from the perspective of vulnerabilities and baselines.
2. Be defensive
After successfully hacked and try to extortion, ali cloud security center based on the powerful virus scan engine, realize the active defense, blocking blackmail the download of the virus, in the network on the server side to prevent blackmail the start of the virus, and the isolation block, in the case of the hacker successful attack victim host, can also from blackmail virus violation, Ensure the normal running of services.
3. Investigation and tracing
Based on multi-dimensional threat attack detection, threat intelligence and other data, Ali Cloud security Center can automatically trace the hacker’s entire invasion link to the server, assist users to consolidate their assets, and enable users to have safe operation capabilities.
Three, safety suggestions
- Check known vulnerabilities and vulnerability risks with the help of Ali Cloud Security Center, repair and reinforce them in time, and avoid being attacked by ransomware.
- Strengthen their safety consciousness, ensure that all the software has been updated on the server and installed the latest patches, without the risk of weak passwords, timing backup valuable data, focus on the latest leak alarm, and immediately scan its known CVE system could be used to find, and in the case of not affect business, disable Powershell, SMB and other services.
- We advise you not to pay the ransom. Paying the ransom only lets the cybercriminal confirm that the extortion is valid, and does not guarantee that you will get the key you need to unlock it.
- If you are blackmail virus infection, can wait for the latest free decryption tool, for a link is as follows: www.nomoreransom.org/zh/decrypti…
The original link
This article is the original content of the cloud habitat community, shall not be reproduced without permission.