Enel and Honda Compromised by Snake Ransomware
Italian energy corporation Enel and Japanese automotive giant Honda were hit last weekend by ransomware attacks that would have impacted on their IT systems. The responsible for the compromises is Snake ransomware (also known as Ekans), according to the analyses carried out by the independent researcher @milk3am on the basis of the two malware samples uploaded to the VirusTotal platform. The research on the attack vector is inconclusive, but it is likely that it was due to public exposure of Remote Desktop Protocol (RDP) services from both companies, as suggested by other sources. Regarding Enel, only its Argentinean subsidiary, Edesur, has admitted to suffering from a computer issue that is “making it difficult to help to clients by telephone, social networks and the use of the Virtual Office”. For its part, Honda has admitted to BleepingComputer that they are experiencing issues within their computer network, while stressing that production continues smoothly and that the impact on their customers is zero. Researchers estimate that the affected networks would include both Europe and Japan. Snake is a ransomware that emerged at the end of 2019 and has among its modules specific capabilities to terminate processes associated with ICS/SCADA software. Last month, a major distribution campaign was announced, affecting at least one other large corporation in the health sector, the German company Fresenius.
More info: https://twitter.com/milkr3am/status/1269932348860030979
New Campaign Impersonating the Spanish ITSS
In the last few hours, a new fraudulent campaign has been detected. It is trying to impersonate the Spanish Labor and Social Security Inspectorate. This time, the e-mails come from the senders @itss.se, @itss.com, @itss.es and @itss.app, and the subject of the message is “Denuncia Oficial XXXXXX, se inició una investigación contra su empresa” [Official Complaint XXXXXX, an investigation against your company has been launched]. In these messages, they report an alleged investigation against the company for possible infringements and indicate that the complaints are attached in the Excel document included in the email. In case a victim opens this malicious document and enables its execution, he or she will be infected with a malware belonging to the Smoke-Loader family, with password theft functionalities.
More info: https://s2grupo.es/es/campana-de-phishing-inspeccion-de-trabajo-seguridad-social/
SAP Bulletin – June 2020
SAP has released its June 2020 Security Patch Day with two critical vulnerabilities, four high severity and 12 medium severity. The following are particularly noteworthy:
- CVE-2020-1938: With 9.8 CVSSv3, this is a vulnerability in Tomcat JSP engine and servlets that exploits Tomcat trust when handling http requests from the AJP connector. This can be exploited to access arbitrary files from anywhere in the web service and process them as JSP, leading to remote code execution.
- CVE-2020-6265: With 9.8 CVSSv3, this is a default credential vulnerability (hard-coded credentials) in SAP Commerce and SAP Commerce Datahub that allows access control to be bypassed if the default credentials are known.
Exposure is maximum for both vulnerabilities as they lack complexity, so they can be exploited without prerequisites or need for interaction. They also have maximum impact on the CIA triad.
More info: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775
New Vulnerabilities in the SMB Protocol
Two significant publications affecting vulnerabilities in the SMB protocol have been released in the last hours:
- Firstly, ZecOps analysts have discovered a new vulnerability, SMBleed (CVE-2020-1206). This is a bug that allows data to be remotely extracted from kernel memory and, if used together with SMBGhost, can cause remote code execution prior to authentication. This bug affects only very recent versions of Windows and is neutralized by the same mitigations implemented for patching SMBGhost.
- On the other hand, a remote code execution vulnerability (CVE-2020-1301) has been detected. It exploits a bug in the SMBv1 protocol, the use of which is not recommended by Microsoft. An attacker authenticated with credentials to access a remote network folder could execute code of their choice. The discoverers of the vulnerability point out as a mitigating factor that the share must be a hard drive. It has also been speculated that there might be another path of exploitation which remains unclear. This bug affects all versions of Windows and has been included in the June update bulletin.
eCh0raix: Ransomware Targets QNAP NAS Devices
Bleeping Computer has warned that the eCh0raix ransomware operators have launched a new campaign against storage devices connected to the QNAP network. The activity of the group started in June 2019 and was reduced in the last months due to the competition with other groups such as Muhstik and QSnatch, also targeting QNAP NAS devices. However, and possibly as a result of a publication detailing three critical vulnerabilities in these devices, it has been detected an increase in users who have been affected by a ransomware that has finally been attributed to eCh0raix. Traditionally, the group focuses its attacks on exploiting old unpatched vulnerabilities or performing brute-force attacks to guess weak passwords. Exploits for new vulnerabilities may have been incorporated, and this would explain the upsurge in group activity, so users are advised to update their devices as soon as possible.
