Operators of the nearly-year-old eCh0raix ransomware strain that’s been used to target QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns have, gotten more efficient. According to researchers, both have put out a new variant that can target either vendors’ devices in a single campaign.

In a report published Tuesday, Palo Alto Network Unit 42 researchers said the new variant of eCh0raix exploits a critical bug, CVE-2021-28799 – an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account – in the Hybrid Backup Sync (HBS 3) software on QNAP’s NAS devices.

HBS is used for backup, restoration and synchronization between local, remote and cloud storage spaces. On April 21, users of devices marketed by the Taiwanese vendor – Quality Network Appliance Provider (QNAP) – began to report attacks that, it turned out, abused this same flaw. Hundreds of users were extorted, as Bleeping Computer reported at the time.

Timeline

As far as unit 42 can determine, there’s been no analysis yet of malware samples that would show eCh0raix ransomware targeting Synology devices before this. “Instances of Synology devices infected by eCh0raix have been reported from as far back as 2019, but the only previous research connecting the Synology attacks to eCh0raix actors is based on decryptors that were found,” they elaborated.

The first time that Unit 42 researchers saw this dual-vendor variant was September 2020. Maybe the combined variant was authored at that time and the attackers had separate code bases to target the vendors’ devices in separate campaigns before that, they suggested: a hypothesis that’s confirmed by the new variant’s project name, as revealed in compilation paths in GoLang binaries: “rct_cryptor_universal” (/home/dev/GoglandProjects/src/rct_cryptor_universal).

“Prior samples of eCh0raix use the project name qnap_crypt_worker,” researchers pointed out. Between June and September 2020, they did see other eCh0raix samples using that rct_cryptor_universal project name, but September 2020 was when they first saw a full-blown sample with two separate code flows.

Cover Your NAS

Unit 42 passed along these best practices for protecting home offices from ransomware attacks:

• Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website
• Create complex login passwords to make brute-forcing more difficult for attackers.
• Limit connections to SOHO connected devices from only a hard-coded list of recognized IPs to prevent network attacks that are used to deliver ransomware to devices.

Microsoft’s scramble to address the fallout from the zero-day attacks against on-prem Exchange Server installations continued this week with the release of a one-click mitigation tool help businesses contain the damage.

The new Exchange On-premises Mitigation Tool (EOMT) is aimed at companies without dedicated security or IT teams to manage patching and post-incident forensics.

Microsoft said the tool has been tested across Exchange Server 2013, 2016, and 2019 deployments and is meant to be “an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.”

The EOMT has been combined with the Microsoft Safety Scanner to automatically mitigate the dangerous CVE-2021-26855 vulnerability on any Exchange server on which it is deployed. 

“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft warned.

Here’s the latest list of Redmond’s recommendations:

1. Download the EOMT tool.
2. Run it on Exchange servers immediately.
3. Follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
4. If you are already using Microsoft Safety Scanner, it is still live and Microsoft recommends keeping this running as it can be used to help with additional mitigations.

SecurityWeek has compiled a list of resources to help incident response teams and IT administrators respond to this global incident:

1. ProxyLogon — the researchers who reported some of the actively exploited vulnerabilities to Microsoft have named the issues ProxyLogon and have set up a dedicated website. They plan on publishing a technical paper in the future.
2. CISA advisory with instructions on how organizations can conduct a forensic analysis if they see evidence of compromise. 
3. CISA Emergency Directive with instructions for federal agencies, including for identifying potential compromises, conducting a forensic investigation, and responding to an incident. 
4. Huntress has been tracking attacks and vulnerable servers. The company has shared some recommendations for MSPs and technical information on the attacks. 
5. Joint advisory from CISA and FBI containing information on targeted sectors, attack techniques, mitigations, as well as technical details for detecting exploitation and attacker activities. 
6. Praetorian has reproduced the Exchange exploit chain and it has shared detailed technical information on the vulnerabilities. 
7. Unit 221B provides an online tool named Check My OWA, which is designed to “aid victim notification based on lists of compromised Exchange servers with Outlook Web Access(OWA) enabled, which were obtained from perpetrators of this mass breach event.”

Indicators of compromise (IOC) and other threat hunting resources

1. Volexity has shared information on the Exchange exploits, post-exploitation activity observed in attacks, and IOCs.
2. Microsoft provides technical details on the attacks it observed, instructions for checking if a system has been compromised, host IOCs, endpoint and Azure detections, and advanced hunting queries.
3. FireEye has shared information on attacks targeting Exchange servers, investigation tips and technical IOCs.
4. Scripts from Microsoft for checking IOCs related to the China-linked threat actor HAFNIUM, and for detecting malicious files on Exchange servers.
5. Pwndefend has made available a list of bad IP addresses, as well as an IOC hunting script that should provide a more detailed view in some areas.
6. Latvia’s CERT-LV has released a script that detects web shells dropped on Exchange servers following successful exploitation of the vulnerabilities. 

Tools and other resources for defenders

1. Nmap script made by researcher Kevin Beaumont can be used to scan a network for potentially vulnerable Microsoft Exchange servers.
2. DomainTools has conducted an analysis of the attacks and has shared some recommendations for network detection. 

Adrozek is a malicious browser modifier that, when installed on users’ machines, infects them with adware. This particular strain of malware has been making rounds since May 2020; according to Microsoft, it was at its peak in August, when as many as 30,000 computers were affected per day. Although classified as adware, Adrozek is also designed to collect information extracted from browsers by modifying browser settings and extensions. It affects Google Chrome, Microsoft Edge, Mozilla Firefox, and the Yandex browser. Considering the risks Adrozek poses to organizations, IT admins need to take some preemptive measures to ensure security.

Adrozek is being distributed through drive-by attacks, where users are tricked into installing the malicious software, often bundled with or disguised as legitimate software. Once installed, it makes a number of modifications to browser settings and extensions. Adrozek disables browser updates and turns off Safe Browsing, which is a feature designed to prevent users from landing on malicious websites. It then installs and activates new browser extensions that run in incognito mode; these extensions run without explicit user permissions, and are hard to notice since they aren’t displayed in the toolbar. These modifications help the malware inject users’ search engines with ads. In certain browsers, the malware further steals users’ credentials. When users access enterprise web applications on the infected browsers, the organization’s data security is at risk.

It’s always better to be safe than sorry. IT admins can implement a stringent yet foolproof, three-step preventive mechanism to help secure their organizations against Adrozek.

1. Restrict users’ access to trusted websites

Implement URL filtering software to prevent users from accessing websites that are unauthorized by the IT teams. This ensures that users don’t land on infected websites, preventing the installation of malware.

2. Limit downloads to trusted websites

While step one eliminates the chances of users installing the malware, limiting downloads to trusted websites creates an additional layer of security, preventing it from being downloaded in the first place.

3. Restrict execution of untrusted applications

Restricting the execution of untrusted applications will prevent Adrozek from running if it’s present in the enterprise network. This final step creates a fortified boundary, preventing the execution of the malware.

BROCENT Managed IT Security Service (MSS) to implement these three-fold preventive measures. In case users’ machines are already infected with Adrozek, IT admins can implement a few best practices to limit the damage.

1. Deploy browser configurations to users’ browsers

Browser configurations and behavior can be managed from a central location with the managed antivirus console. Configurations deployed  cannot be overwritten by users, nor by Adrozek. For example, deploying a configuration to enable browser updates will prevent the malware from modifying the setting. Similarly, BROCENT support center can enable the Safe Browsing configuration, ensuring that Adrozek cannot disable it. This will minimize the impact of the malware.

2. Restrict installation of new browser extension and add-ons

IT admins can restrict the installation of new extensions and add-ons. This will prevent the malware from installing new extensions capable of injecting ads and stealing credentials. To prevent loss of productivity that could arise from lack of extensions, mission-critical extensions and add-ons can be distributed to users’ browsers BROCENT managed network behavior management console.