These Affiliate Cyber Criminals Have an Eye on your Exchange
AvosLocker is a loose group of cybercriminals. Brought together by their habit of illegal money-making and dependence on a particular Ransom-as-a-Service tool, they’re the new kids on the cybersecurity block.
They advertise their success across a number of Telegram groups, offering jobs for wannabe affiliates. They boast not only that every affiliate gets to keep the profits – but also offer access to a broad network of cybercriminal peers.
Successful affiliate ransomers are granted access to AvosLocker’s ‘for sale’ page, selling the personal data of previous victims that didn’t comply. A lucrative double extortion business model, for sure.
Avos is not one single piece of malware: the core code is available for a subscription fee, and different groups modify this to varying degrees of complexity and success. One of the most ubiquitous attacks swept through Microsoft Exchange clients in late 2021, relying primarily on server side request forgery (SSRF).
Though the ransomware itself is nothing special, the group’s cutthroat business-like image extends to their attacks. Once the ransomware has run its payload, some AvosLocker affiliates call their victims, cajoling them over phone and email. Threats of DDoS attacks have also been reported.
The group’s behavior and code are as simple and brute-force as each other; protecting yourself is vital.
Table of Contents
What’s SSRF?
The goal of a SSRF attack is to gain access to a company’s internal server and remotely deploy unauthorized code.
Internal servers are separated from external through a wide range of cybersecurity features, such as network segmentation. However, internal servers can be forced to assume a far wider trust boundary than normal. Attackers can manipulate this trust boundary by sending an arbitrary HTTP request to that internal server.
That request triggers the server to take unwanted action within a network. The server can communicate with any network – including internal sources – meaning once-secure information can now be leaked.
Stages of Infection
In the case of AvosLocker’s Microsoft Exchange vulnerability, module CVE-2021-31207 allowed the attacker – upon completing a successful SSRF attack – to bypass the remote authentication process.
From there, step 2 can commence. Component CVE-2021-34523 handles Microsoft Exchange’s elevation of privilege process; this allows the remote attacker to move from user to administrator. Finally, CVE-2021-34473 allows the authenticated attacker to execute code. Now, the cybercriminal can finally drop the ransomware onto the server.
Alongside the Microsoft Exchange vulnerabilities, some AvosLocker affiliates have modified the base Avos code to incorporate attacks on ServiceDesk ITSM clients; others have recently released a Linux-based attack vector. The vulnerability CVE-2021-44077 impacts all ServiceDesk Plus versions up to and including 11305, in much the same way the original Exchange vulnerability does. It too allows remote execution of code.
Another AvosLocker affiliate has gone one step further by exploiting the security systems of its victims. Within this strain of Avos malware, a batch script by the name of lock.bat or love.bat preps the machine before the ransomware deploys.
Sometimes, when malware enters a network, it’s possible to defend against an attack by activating Safe Mode on your device. Usually, this isolates the machine from its network, and gives you a breather from relentless payloads to diagnose the malware.
The latest Avos batch script preps itself by disabling Windows Defender and Windows update services. It then attempts to disable critical components of security software that can otherwise run in Safe Mode. At the same time, the batch files install AnyDesk, and set that to run in Safe Mode during its connection to the network.
Finally, the batch file plunges the machine into Safe Mode, which locks the victims out of their own machines.
Payload
The Avos ransomware does not attempt to be sneaky. The infection process is similar to breaking and entering, and this brashness is seen as the encryption process logs its activity in the command window. The software simply encrypts every file and network it comes into contact with. In each file, it leaves a .txt detailing its ransom amount.
Recovering the data is not possible without obtaining the original Private Key.
Should victims not pay the ever-increasing fee, AvosLocker siphons off the data manually, and posts it on their ‘for sale’ board.
Protection
The first and major step towards keeping your enterprise protected: stop procrastinating on those updates! All three original Exchange vulnerabilities have now been patched by Microsoft. ManageEngine has also patched its Microsoft and Linux versions. Delaying these updates is the only factor that puts you at risk of these older Avos attacks.
However, SSRF attacks are still possible. Protection against this can be split into two formats: application and network.
Application protection
Externally protecting an app can be hard, but input validation is a fantastic way to combat false queries made in a SSRF attack.
As a user connects to an app, it’s possible to examine whether the user is inputting the expected strings. If the input data has a simple format (for example, a voucher, address, etc.), then a regex can be used to ensure the inputted data is valid.
If the input data is more complex, then regexes should be avoided – they’re difficult to maintain and incredibly error prone for complex strings. Instead, validation should be conducted from context-specific libraries.
Network Defense
The goal of network security is to prevent a vulnerable app from performing calls to unnecessary applications. To limit its network access, constrict an app’s allowed routes to only the apps that it should be communicating with, when not compromised. This is essentially what a Web Application Firewall provides: restricting an app’s access between servers to the bare minimum.
It’s one reason why network segmentation is another vital component to network security. Splitting up an organization into smaller logical groups allows tighter control, as firewalls can then inspect and block any threats flowing between networks.
Aside from these SSRF-specific protections, continue to maintain good IT hygiene. In the same way each app only needs certain permissions, every staff member only requires a certain amount of access. Finally – as a very last resort – always keep your backup secure and off-site.
Though AvosLocker is a new and highly active malicious actor, there are small-but-powerful steps you can take to prevent them gaining a foothold in your organization.
Follow TechWaver for more!
