{"id":13616,"date":"2019-07-03T22:13:30","date_gmt":"2019-07-04T02:13:30","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/sodin-msp-ransomware\/13616\/"},"modified":"2019-11-15T15:22:11","modified_gmt":"2019-11-15T11:22:11","slug":"sodin-msp-ransomware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/sodin-msp-ransomware\/13616\/","title":{"rendered":"Sodin ransomware enters through MSPs"},"content":{"rendered":"

At the end of March, when we wrote<\/a> about a GandCrab ransomware attack on an MSP\u2019s clients, we figured it was unlikely to be an isolated case. \u00a0Managed service providers are just too tempting a target for cybercriminals to ignore.<\/p>\n

It appears we were right. In April, ransomware dubbed Sodin captured our experts\u2019 attention. It differed from the others in that in addition to using gaps in MSPs\u2019 security systems, it also exploited a vulnerability in the Oracle WebLogic platform. And whereas it\u2019s typical for ransomware to require a user\u2019s involvement (for example, the victim would need to launch a file from a phishing letter), in this case, no user participation is needed.<\/p>\n

You can read about the technical details of this ransomware in this Securelist post<\/a>. From our point of view, the most interesting thing about this malware is its means of distribution.<\/p>\n

Sodin distribution methods<\/h2>\n

For purposes of spreading the malware through WebLogic<\/a>, attackers used the CVE-2019-2725 vulnerability to execute a PowerShell command on a vulnerable Oracle WebLogic server. Doing so allowed them to upload a dropper to the server, which then installed the payload \u2014 the Sodin ransomware. Patches for the bug were released back in April, but at the end of June a similar vulnerability was discovered \u2014 CVE-2019-2729.<\/p>\n

In attacks using MSPs, Sodin gets onto users\u2019 machines in different ways. Users of at least three providers have already suffered from this Trojan. According to this story on DarkReading<\/a>, in some cases the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In other cases, as described on Reddit<\/a>, the attackers penetrated MSP infrastructure using an RDP connection, elevated privileges, deactivated security solutions and backups, and then downloaded ransomware to client computers.<\/p>\n

What service providers should do<\/h2>\n

For a start, take seriously the storing of passwords for remote access to anything, and use two-factor authentication wherever possible. Remote consoles for both Kaseya and Webroot support two-factor authentication. Furthermore, after the incident, developers began to mandate its use. As we can see, the attackers who distribute Sodin do not wait to stumble on opportunity; they purposefully look for various methods of distributing malware through MSP providers. That\u2019s why it is necessary to look carefully at all other tools used in this sphere. RDP access, as we\u2019ve said time and again, should be used only as a last resort.<\/p>\n

MSPs, and especially those that provide cybersecurity services, should take protection of their infrastructure even more seriously than their client infrastructure. Here is what Kaspersky can offer MSPs to protect themselves<\/a> and their clients.<\/p>\n

What other companies should do<\/h2>\n

Of course, updating software remains a critical job. Malware getting into your infrastructure through vulnerabilities discovered and closed months ago is an embarrassing example of an obviously unforced error.<\/p>\n

Companies using Oracle WebLogic should first familiarize themselves with Oracle Security Alert Advisories for both vulnerabilities \u2014 CVE-2019-2725<\/a> and CVE-2019-2729<\/a>.<\/p>\n

And it is also wise to use reliable security solutions<\/a> with subsystems that are able to detect ransomware and protect workstations from it.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

This ransomware uses managed service providers\u2019 infrastructure or the Oracle Weblogic vulnerability to infect and encrypt victims\u2019 systems.<\/p>\n","protected":false},"author":2506,"featured_media":13617,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[1716,433],"class_list":{"0":"post-13616","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-msp","10":"tag-ransomware"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/sodin-msp-ransomware\/13616\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/sodin-msp-ransomware\/16108\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/sodin-msp-ransomware\/18005\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/sodin-msp-ransomware\/16142\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/sodin-msp-ransomware\/14883\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/sodin-msp-ransomware\/18805\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/sodin-msp-ransomware\/17561\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/sodin-msp-ransomware\/23051\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/sodin-msp-ransomware\/6113\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/sodin-msp-ransomware\/27530\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/sodin-msp-ransomware\/11924\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/sodin-msp-ransomware\/12167\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/sodin-msp-ransomware\/10922\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/sodin-msp-ransomware\/19677\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/sodin-msp-ransomware\/23581\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/sodin-msp-ransomware\/18638\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/sodin-msp-ransomware\/22925\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/sodin-msp-ransomware\/22866\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ransomware\/","name":"ransomware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2506"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=13616"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13616\/revisions"}],"predecessor-version":[{"id":14398,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/13616\/revisions\/14398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13617"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=13616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=13616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=13616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}