Patched Windows Flaw Actively Being Exploited; Ransomware On The Loose
By: Jim Stickley and Tina Davis
July 16, 2019
A ransomware strain named Sodinokibi (also Sodin or REvil) is exploiting a vulnerability patched by Windows last year. It involves Oracle’s WebLogic servers and is reportedly fairly simple to exploit. The bigger problem is that this issue being actively exploited now could have been prevented starting back in October of 2018. That’s because Microsoft issued a patch for it back then.
This flaw known as CVE-2018-8453 affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.
Applying security updates is one of the most important things you can do to improve security. This should be done as soon as a patch is released. In this case, it was several months ago. Not applying them right away provides a keen opportunity for attackers to take advantage.
Unusually, the former zero-day has been spotted along with ransomware, other than with other forms of malware with is more typical for this. Security researchers have suggested that Sodinokibi is being distributed via a ransomware-as-a-service (RaaS) scheme, rather than being directly distributed by its creator.
The best defense against ransomware is to first train all employees and users of your networks how to spot and avoid being caught up in a phishing lure. Email is the primary way malware gets distributed. In addition, patch and keep current backup copies of important data. Be sure to keep those backups secured and completely disconnected from the Internet. Other types of malware and ransomware have been known to encrypt backups too, so keeping them offline is the best mitigation technique.
Though many organizations have recently chosen to pay attackers to get their data decrypted (recent cases in Florida costs the cities over $1.1 million), this is not recommended. With current and functioning backups, it’s much less costly to restore from those. In this case, you are also not encouraging more ransomware attacks.