NOTE: The following CSIRT alert relates to the SERNAC incident previously reported on DataBreaches. The alert is reproduced in machine translation of the original Spanish.
The Computer Security Incident Response Team, Government CSIRT , reports on an incident in progress that affects a government service, during the day of Thursday, August 25, which has interrupted the operation of its systems and online services .
The nature of the incident corresponds to a ransomware that affected Microsoft and VMware ESXi servers in corporate networks of the institution.
The ransomware in question has the ability to stop all running virtual machines and encrypt files related to the virtual machines.
As a result of the infection, the files assume the extension “.crypt”. Subsequently, the attacker takes complete control of the victim’s system and leaves a ransom message reporting the amount of hijacked data, offering a communication channel and a specific ID to contact them. The attacker gives a period of three days to communicate, otherwise he threatens to prevent the data from being accessible to the organization and put these assets up for sale to third parties on the dark web.
The ransomware would use the NTRUEncrypt public key encryption algorithm, targeting log files (.log), executable files (.exe), dynamic library files (.dll), swap files (.vswp), virtual disks (. vmdk), snapshot (.vmsn) files, and virtual machine memory (.vmem) files, among others.
In this document, we share some Indicators of Compromise and malware characteristics that we have been able to observe, related to this incident.
Thus, the malicious program that the ransomware has created also has infostealer characteristics:
- Steal credentials from browsers
- List removal devices like HDD and pen drives
- It has antivirus evasion capabilities with timeout.
Changing file names when encrypting:
C:\Users\Admin\Pictures\DebugSelect.raw => C:\Users\Admin\Pictures\DebugSelect.raw.crypt
File IOCs
0t8I7t8q8.exe
SHA256; 39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
6c1W1w0p9.bat
SHA256; ac73234d1005ed33e94653ec35843ddc042130743eb6521bfd3c32578e926004
lock.exe
SHA256: c42834ac1c8efc19c44024f1e4960c5a9aaab05dc9fceb0d1596ffe0c244f5f2
Tactics used according to the Miter ATT&CK classification
The Government CSIRT wants to alert the community of the State and entities in collaboration agreement to pay special attention to this threat and to follow, at least, the following recommendations:
- Ensure that all the components of your systems (PCs and servers) are protected by antivirus, antimalware and firewall programs with their current licenses.
- Check that your VMware and Microsoft assets are up to date and protected.
- Periodically check that all your software is up to date.
- Have backups for your most important data and processes, which must be separated (in the best case, even physically) from the assets they support and adequately protected with firewalls and security protocols.
- Reinforce officials’ awareness of the importance of distrusting the emails they receive, especially if they include attachments, and to inform cybersecurity managers if someone receives a suspicious email.
- Verify and strengthen the settings of your anti-spam services, since emails are the main access route for malicious programs.
- Implement network segmentation and control user privileges to fit your requirements.
- Remember that if you are faced with a cybersecurity incident, you must inform the Government CSIRT.
- Periodically review the alerts published by the Government CSIRT about the new phishing and malware campaigns that we detect: https://www.csirt.gob.cl/alertas/
- Be informed every day of new important vulnerabilities in frequently used programs in our country at https://www.csirt.gob.cl/vulnerabilidades/
- Finally, we highlight that we have free awareness material available at https://www.csirt.gob.cl/recomendaciones/
Source: https://www.csirt.gob.cl/noticias/alerta-de-seguridad-cibernetica-incidente-en-servicio-publico/