New ransomware (Lilu, Lilocked) infects thousands of Linux servers using a buffer overflow vulnerability in a popular message transfer agent (EXIM)

Over the course of this past month, more and more data have been made available about the new strand of ransomware that has infected Linux servers since July 2019 and has recently grown more aggressive.

Why is it important?

This attack is not only important because of it making use of a buffer overflow vulnerability, but also because of the number of vulnerable high-value servers deployed around the world. It is currently estimated that most of the servers around the world are vulnerable to this attack and other attacks exploiting this recent critical vulnerability.

Who is affected?

Any system that runs Exim up to and including 4.92.1 [4], a message transfer agent (MTA), on their servers, could potentially be attacked. Recently 4.92.2 has been released and all previous versions are named obsolete by Exim, due to the highly critical severe vulnerability, being exploited in the wild by hackers, especially Lilu ransomware cybercriminals. [9]

A quick google engine search of this dork in between braces:-
[ intitle:”index of” “#README.lilocked” ]
reveals a lot of indexed victims of the attack. If you click on any of these links and read the Readme you will be able to see the ransom note left on the server to the IT staff to retrieve their sites back as their servers files are encrypted now for ransom.

In my investigation, I tried 3 of the victims’ keys, obtained by visiting the publicly listed #README.lilocked to access the attacker’s onion website. It was found that for each victim a different price was set. The range observed was from 0.010 to 0.300 BTC to decrypt a directory. The value could have been determined based on website rank on web ranking services or assigned based on the size of files encrypted.

What impact might it have on people?

A type of malware, ransomware encrypts data and deletes it unless a payment is made to the hackers in time.

If an attacker is capable of running code on your machine they might choose to run ransomware for financial benefits. We see this has been the main use of this buffer overflow in Exim, which runs on a plethora of Linux based servers. Exim is the default MTA in Debian GNU/Linux systems, making it very common. Exim is very popular, especially within Internet service providers and universities in the UK. It is also widely used with the GNU Mailman mailing list manager and cPanel.
Last month, it was found that 57% of the publicly reachable mail-servers on the Internet ran Exim, making it the most popular. [8]
This could mean that many websites are currently suffering from this and wont be available to there users.

What were the causes?

The SMTP delivery process was vulnerable to a Buffer Overflow, which could be exploited by a client Transport Layer Security (TLS) certificate or a Server Name Indication (SNI) during a TLS negotiation.
It was disclosed in [3] that CVE-2019–15846 allows a local or remote attacker can execute programs with root privileges. In [2] more information is released detailing that the vulnerability can be exploited with a handcrafted TLS SNI, which allows to identify a website when the server IP address has many websites linked to it [6], that ends in a backslash-null sequence during the initial TLS handshake negotiation

How might similar problems be prevented in the future?

Security code reviews should be part of all development cycles. SecDevOps should be integrated with the existing DevOps in place. Frequent, penetration tests should be scheduled. Bug bounty programs should be set up so that people are incentivized to search for the problem and submit them for awards. Faster response to these incidents could have been possible if they had feeds from deployments or from darknet hacker forums. It took them 2–3 months to release a fix to a vulnerability being exploited in the wild. Threat hunting and threat intelligence mechanisms could be deployed to monitor feeds for upcoming threats like finding discussions about this exploit or vulnerability in hacker forums long before it is this common. A security operations center monitoring a Security Incident and Event Management platform connected to sensors in the servers would have detected initial scans to see if the server was vulnerable which would have given the security staff a small time frame to proactively block attacks or take other preventive measures or investigate more behind the cause of that vulnerability scan.

Keep software up to date. Use best judgement and have security education as part of staff training. Have good security architecture in your network, use access control, and implement best practices in your workplace.

IT personnel running servers should always have backups of their data and intellectual property to not comply with cybercriminals when the ransom is demanded for encrypted data. The FBI has previously issued an advisory note saying that it is not recommended to pay ransom since there is no guarantee of getting your data back, as some hackers have no mechanism of decrypting your data once a ransom is paid.

Discussion

-What do you think IT Personnel can do to protect internet-facing servers from being attacked, and keeping the attack from reaching other assets on the network?
-What do you think would be a good strategy for keeping the usefulness vs security tradeoff at an optimal point? The more your systems can do the bigger the attack surface.
-Do you think software written a long time ago (using languages like C), yet actively maintained, should be re-written with security implemented in the design phase? How would you justify this re-writing cost?

References
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-15846
[2] https://www.exim.org/static/doc/security/CVE-2019-15846.txt
[3] https://www.openwall.com/lists/oss-security/2019/09/04/1
[4] https://www.exim.org/
[5] https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/
[6] https://www.cloudflare.com/learning/ssl/what-is-sni/
[7] https://github.com/Exim/exim/blob/927e32d4e26593314c5c287b3033ed550d648706/doc/doc-txt/cve-2019-15846/posting-2.txt
[8] http://www.securityspace.com/s_survey/data/man.201907/mxsurvey.html
[9]https://searchengines.guru/showthread.php?t=1021112