Sodin ransomware spreads through MSPs

Cyber criminals are targeting vulnerable software and gaps in managed service providers’ (MSP) security systems to distribute Sodin ransomware.

Sodin, also known as Sodinokibi and REvil, is a newly discovered ransomware known to exploit at least two Oracle WebLogic Server bugs. In addition, Sodin also recently added a Windows privilege escalation bug to its exploit targets.

Kaspersky Lab researchers have been monitoring Sodin malware activity since April. The company said Sodin spreads without user involvement. This activity is unlike other ransomware infections that typically rely on phishing emails.

Sodin configuration and encryption

Kaspersky said each Sodin sample contains an encrypted configuration block that has all the settings and data for the trojan to work.

Sodin also uses a “hybrid scheme” to encrypt the victim’s files.

“The file contents are encrypted with the Salsa20 symmetric stream algorithm, and the keys for it with an elliptic curve asymmetric algorithm,” Kaspersky noted.

Kaspersky includes more technical details on Sodin, such as key management, encryption and network communication.

How Sodin spreads

Bad actors spread Sodin via multiple distribution methods, to include multiple patched software vulnerabilities and MSP remote management tools.

In one attack, Kaspersky spotted attackers exploiting a WebLogic vulnerability (CVE-2019-2725) by executing a PowerShell script on a vulnerable WebLogic server. From April through June, additional security experts warned that hackers were also exploiting CVE-2019-2725 to install cryptocurrency miners.

To compound matters, another WebLogic vulnerability CVE-2019-2729 was discovered near the end of June. Oracle confirmed attackers were exploiting the vulnerability in the wild and issued a security patch. This one is especially urgent to patch given it requires no user credentials to exploit and is rated a CVSS score of 9.8.

In another attack, Sodin exploited a Windows privilege escalation flaw CVE-2018-8453. Microsoft patched this critical bug in October 9, 2018.

Attacks also compromised at least three MSPs to distribute Sodin ransomware to its MSP customers.

According to a Dark Reading report, at least two MSP remote management tools (Webroot and Kaseya) were compromised to deliver the trojan. In one incident, an MSP customer said a Webroot console was used to download malware on up to 67 MSP-managed systems.

Hackers likely compromised MSP credentials to gain access to these sensitive remote management systems.

To help combat these types of MSP-based attacks, customers (and MSPs) should mandate use of multi-factor authentication (MFA). This is especially critical for security and management systems designed to remote control other systems on the network.

Organizations should also take extra care to patch software in timely manner, such as CVE-2019-2725 and CVE-2019-2729. Not to mention, be wary of even older unpatched flaws, such as CVE-2018-8453.