Summary
A ransomware strain named Sodinokibi (also Sodin or REvil) is using a former Windows zero-day vulnerability to elevate itself to admin access on infected hosts.
The vulnerability, a privilege escalation flaw known as CVE-2018-8453, had been patched in the October 2018 Patch Tuesday Microsoft security updates after it had previously been used by a state-sponsored hacking group known as FruityArmor since August 2018.
CVE-2018-8453’s use with the Sodinokibi ransomware follows a known industry trend where zero-days go from nation-state exploitation to day-to-day criminal operations.
But more surprising here is that the former zero-day was spotted alongside ransomware, rather than other forms of malware. In a report analyzing Sodinokibi, security researchers from Kaspersky have called the use of a privilege escalation flaw “rare among ransomware” because most ransomware usually doesn’t employ such tricks.
Indicators of Compromise
hxxp://188.166.74[.]218/office.exe
hxxp://188.166.74[.]218/radm.exe
hxxp://188.166.74[.]218/untitled.exe
hxxp://45.55.211[.]79/.cache/untitled.exe
130.61.54[.]136
decryptor[.]top
Recommendations
• Update to the latest patches to prevent exploitation of these vulnerabilities.
• Perform regular backups of your data that has high importance and is current on an offline storage device to avoid ransomware attacks.
• Apply the patches released for the vulnerabilities CVE-2019-2725 and CVE-2018-8453.