Written by: Alyssa Bear – Cybersecurity Analyst, MSPAlliance

MSPs are beginning to face an updated type of ransomware that uses their systems to target their Customers. A new version of Sodinokibi can now exploit vulnerabilities in applications that allow remote code to be executed without authentication. This type of vulnerability has been identified in Oracle WebLogic Server and an RMM that is used by the MSP community.

So far, Sodinokibi mostly targets enterprise-scale businesses. However, this attack method will most likely become more prevalent in attacks on small and medium-sized businesses. Sodinokibi has already affected Customers of MSPs and will continue to assess MSP environments for automatic deployment vulnerabilities.

Once Sodinokibi is deployed to Customer environments, Customer files are encrypted, and a traditional ransomware message is displayed. While other ransomware enables payment for a single ID, Sodinokibi requires payment for all encrypted IDs.  

History of Sodinokibi

Sodinokibi was discovered in late April 2019 and was used to exploit a deserialization vulnerability known as CVE-2019-2725 in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, meaning it can be exploited to all remote endpoints without the need for a username or password. Sodinokibi used this to elevate privileges in Windows and use legitimate functions to bypass security measures. Oracle issued a patch outside of their normal patch cycle because of the severity of the vulnerability, which shows how dangerous this exploit is. 

Oracle Fusion Middleware Risk Matrix gives this exploit a base score of 9.8. The base score is defined as “a numeric value between 0.0 and 10.0 to indicate the severity of the vulnerability, where 10.0 represents the highest severity. Each risk matrix is ordered using this value, with the most severe vulnerability at the top of each risk matrix.” CVE-2019-2725 is easy to exploit because Sodinokibi executed through the HTTP protocol, meaning that anyone with access to the WebLogic server could carry out an attack. 

Once this ransomware was able to breach MSPs via remote desktop endpoints and was able to escalate its privileges, it uninstalled detected antivirus products. Following this, the hackers searched for accounts utilizing Webroot SecureAnywhere and execute a Powershell script on remote workstations releasing Sodinokibi.

Sodinokibi is unique because it utilized a zero-day exploit cyber-attack, which is an attack “that occurs on the same day a weakness is discovered in software.” The use of a zero-day is atypical to the distribution pattern of ransomware that is motivated financially. According to Kaspersky, organizations at risk from a zero-day attack can employ a few means of detection. Some methods of protection include using a virtual local area network (VLAN) to protect transmitted data, using a properly configured firewall, using a secure Wi-Fi system to protect against malware attacks, and using a secure socket layer (SSL), which secures information sent between the user and the site. It is strongly encouraged to use 2FA or MFA to the extent possible on all applications. This is all relevant to becoming compliant with today’s industry standards and best practices, which help prevent attacks like this from happening to an MSP.

Sources:

• https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
• https://usa.kaspersky.com/resource-center/definitions/zero-day-exploit
• https://www.oracle.com/technetwork/topics/security/advisorymatrixglossary-101807.html
• https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
• https://securelist.com/sodin-ransomware/91473/