Microsoft Exchange has been updating patches for existing code vulnerabilities, but that hasn’t stopped hackers. A new type of ransomware calling itself Epsilon Red has been found to exploit vulnerabilities in Microsoft Exchange servers to encrypt machines on a network. Before entering the encryption phase, the Epsilon Red ransomware relied on more than a dozen scripts and also used a commercial remote desktop utility.
A vulnerable Microsoft Exchange server
Cyber security firms investigating a CYBER attack on a US company discovered that the ransomware Epsilon Red penetrated by exploiting unpatched vulnerabilities in local Microsoft Exchange servers. After analysis, attackers may launch attacks by using a series of vulnerabilities of ProxyLogon. The ProxyLogon system vulnerability has been frequently exploited by hackers, and although 92% of vulnerable Microsoft Exchange servers have been updated to address the code vulnerability, that hasn’t stopped hackers from continuing their damage.
Unique tool set
Epsilon Red is written in the Golang (Go) code language and is preceded by a unique set of PowerShell scripts that prepare file encryption programs, each with a specific purpose:
Termination process and service security tools, database backup programs, Office applications, email clients
Example Delete the shadow copy of a volume
Steal a secure Account Manager (SAM) file that contains password hashes
Delete Windows event logs
Disable Windows Defender
To halt the process
Uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
Extending System Permissions
Most scripts are numbered 1 through 12, but a few are named with a single letter. One of them, C. ps1, appears to be a clone of the penetration testing tool copy-VSS.
Image: PowerShell script used by Epsilon Red ransomware
After breaking into the network, the hacker accesses the computer through RDP and installs software using Windows Management Instrumentation (WMI) and runs PowerShell scripts, finally deploying the Epsilon Red executable. They also installed a copy of Remote Utilities and the Tor Browser, a move designed to ensure that they still had a backup entry if they couldn’t get in through the initial entry.
REvil ransom note model
Although this version of Epsilon Red may seem unprofessional, it has no restrictions on how file types and folders can be encrypted. In addition, it contains code from the open source tool GoDirWalk, a library for traversing a directory tree on a file system. This feature enables Epsilon Red to scan hard drives and add directory paths to the target list of subprocesses, which each encrypt the subfolders, and eventually, the infected machine runs a large number of copies of the ransomware. It encrypts everything in the target folder with the suffix “.epsilonred “attached, without preserving executables or DLLS that could damage the base program or even the operating system.
As is typical for ransomware, Epsilon Red puts ransom notes in each folder it handles, telling how to contact the attacker to negotiate a price for decrypting the data. This ransom note is an improved version of the Ransom note for REvil ransomware. Epsilon Red strives to correct original grammar and spelling errors.
Although Epsilon Red is new to the ransomware industry, they have attacked several companies and earned ransoms, with one victim of the ransomware threat paying 4.28 Bitcoin (about $210,000) to the attackers on May 15.
Although the network technology tends to mature, but this does not represent the loopholes in the system and the code behind the same perfect. Hackers seize on any vulnerability as an opportunity to sabotage the system and issue extortion. Network technology needs safe and steady development. While constantly updating technological means, network security construction should also be strengthened. Software security is the most basic line of defense for network security. Strengthening software security, introducing static code detection and other means in the software development stage, combined with security testing in the delivery stage, can effectively reduce system vulnerabilities and ensure software security while improving software functions.
And read the links: www.woocoom.com/b021.html?i…