Be aware! Windows and Linux systems are now vulnerable to self-propagating ‘Lucky’ malware.
This is a new version of a ransomware that was first spotted two years ago. Is main ability is to spread fast via ten different vulnerabilities in Windows and Linux server platforms.
Lucky is nothing more than a new variant of Satan, which is a data encryption tool that first appeared as a ransomware-as-a-service in January 2017. Lucky is a more potent Satan presenting a worm-like behavior capable of spreading on its own with no human interaction at all.
The malware is capable of exploiting known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.
Lucky is also capable of infecting Linux production servers, researchers found that the ransomware encrypts files with the extension .lucky.
All of those server-side vulnerabilities that Lucky uses affect Java server apps.
The ten vulnerabilities that Lucky uses to spread are: JBoss default configuration vulnerability (CVE-2010-0738); Tomcat arbitrary file upload vulnerability (CVE-2017-12615); WebLogic arbitrary file upload vulnerability (CVE-2018-2894); WebLogic WLS component vulnerability (CVE-2017-10271); Windows SMB remote code execution vulnerability (MS17-010); Spring Data Commons remote code execution vulnerability (CVE-2018-1273); Apache Struts 2 remote code execution vulnerability (S2-045); Apache Struts 2 remote code execution vulnerability (S2-057); and Tomcat Web admin console backstage weak password brute-force flaw.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Researchers are saying that all of the vulnerabilities are easy to exploit because the actual exploits are publicly available for many of them.
Ransomware attacks are not as present as they were in 2017, with the WannaCry and NetPetya outbreaks. But this new Lucky variant shows that ransomware remains a popular tool in the hacker’s arsenal.
Spreading modus operandi
First Lucky attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network and then sends its malicious payload to any systems that are discovered to be vulnerable.
Researchers say that this new approach is remarkable because instead of targeting OS vulnerabilities, the malware focus on applications and services.
The main reason for the shift in attacks is that patching server-side applications is a considerably more difficult task than patching desktops. According to recent studies, organizations need on average at least three to four months to patch known app vulnerabilities.
We recommend the using of an egress firewall or something with similar functionality to check for suspicious port scanning activity as well as for vulnerabilities getting exploited. Security admins also should check for requests to access to a list of four specific IP addresses and domains and provided steps that organizations can follow to remove the virus from infected systems.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor the cybersecurity world. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.