GUI used by Monster<\/em><\/strong><\/p>\nThe rest of the ransomware is fairly typical. RSA + AES are used, and multiple threads help \u00a0to speed up the encryption and decryption process.<\/p>\n
In terms of victimology, we found a couple of victims located all over the world (Singapore, Indonesia, Bolivia).<\/p>\n
CVE-2022-24521: private 1-day exploits used for attacking Windows 7-11<\/h2>\n
Cybercriminals have the capabilities to create so-called 1-day exploits within a matter of day(s) after the vulnerability is reported or fixed. This is the reason why many security professionals urge system admins and users to install security patches as soon as possible.<\/p>\n
One such example is CVE-2022-24521, an arbitrary pointer dereference in the Common Log File System (CLFS) driver, which has a long history of vulnerabilities. CVE-2022-24521\u00a0 allows an attacker to gain system privileges on the infected device and is exploited in different ways by various actors. Although this time, it must be said it took the criminals a little bit longer than usual to develop an exploit: two weeks after the vulnerability was disclosed. We did, however, find an exploit with a PE-timestamp dated about one week after the patch was released, indicating that a working exploit might have been available even earlier. In total, we found two different exploits, both having several versions. In both cases, the developers sell exploits privately and do not share them on GitHub or other online platforms.<\/p>\n
What is particularly interesting about these exploits is that they support a variety of Windows versions. This is something we usually see in commercial exploits. But the exploits have more in common: the two share a lot of debug messages. Because of these debug messages and the overall design of one of the exploits, we were able to link it to the other exploit for a much older vulnerability in the CLFS driver. In fact, we can say that the older exploit was reused for the newer vulnerability.<\/p>\n
Finally, it is worth mentioning that one of the exploits was used in the wild during an attack on a large retailer in the APAC region.<\/p>\n
Conclusion<\/h2>\n
In this blogpost, we stepped away \u2014 even though just slightly \u2014 from solely covering ransomware. Although ransomware is still one of the biggest threats to organizations, one should realize how these attacks actually take place. Quite often criminals use exploits for which patches are already available, simply because the affected organizations do not have an optimal patching policy.<\/p>\n
Proper threat intelligence can help organizations to protect themselves against these types of threats, despite a non-ideal policy. For example, as we highlighted in this blogpost, criminals sometimes reuse older exploit code for newer vulnerabilities. Properly written Yara rules help to catch these newer exploits. Also, discussing TTPs and what is currently popular amongst ransomware groups helps organizations to make better-informed decisions on how to protect their environments.<\/p>\n
For any questions about our private reports, please contact crimewareintel@kaspersky.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability.<\/p>\n","protected":false},"author":312,"featured_media":98449,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[24],"tags":[123,37,121,83,41],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/ransomware-updates-1-day-exploits\/107291\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/107291"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=107291"}],"version-history":[{"count":8,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/107291\/revisions"}],"predecessor-version":[{"id":107303,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/107291\/revisions\/107303"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/98449"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=107291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=107291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=107291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Note](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/08\/23163047\/Ransomware_updates__1-day_exploits_01.png\")
<\/a><\/p>\n![\"Stopping](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/08\/23163133\/Ransomware_updates__1-day_exploits_02.png\")
<\/a><\/p>\n![\"GUI](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2022\/08\/23163241\/Ransomware_updates__1-day_exploits_03.png\")
<\/a><\/p>\n