바로가기

Security Alert



Alert – New Variant of Ransomware called Tycoon Targets Education and Software Sectors 2020-06-15

Overview:
Tycoon is a multi-platform Java ransomware targeting both Windows and Linux and has the ability to remain hidden for long periods of time from security tool.
Tycoon is deployed in the form of a trojanized Java Runtime Environment (JRE) seeking to take advantage of Java Image (JIMAGE) files that are internal to Java and that store custom JRE images which is designed to be used by the Java Virtual Machine (JVM) at runtime.
The tycoon ransomware is not designed to be distributed through phishing or spam emails, it’s believed that its operators exploit vulnerabilities in remote desktop protocols (RDP) as part of the initial attack and then it’s triggered by executing a shell that runs the main malicious Java module of which there are both Windows and Linux versions. It has a configuration file that is stored in the project’s BuildConfig file, which holds the attacker’s email address an RSA public key the content of the ransom note an exclusions list and a set of shell commands to be executed.

Specification of the attack:

After systems are infected by tycoon, the post-incident analysis of the Internet-facing RDP server cannot be performed as before because the attacker uses unusual techniques:
 To achieve persistence on the victim’s machine, the attackers use a technique called Image File Execution Options (IFEO) injection. IFEO settings are stored in the Windows registry. These settings give developers an option to debug their software through the attachment of a debugging application during the execution of a target application
 A backdoor is then executed alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system
 The attackers can disable the organization’s anti-malware solution with the use of the ProcessHacker utility and changed the passwords for Active Directory servers. This leaves the victim unable to access their systems.
 Most of the attacker files are timestomped, including the Java libraries and the execution
 Finally, the attackers can execute the Java ransomware module, encrypting all file servers including backup systems that are connected to the network.

Solution(Mitigation):

Rw-CSIRT is strongly recommending Network administrators (managed environments) the following best practices to help safeguard networks against this tycoon ransomware attack:
 Avoid exposing remote desktop server (RDP) over the internet. If required ensure necessary authentication mechanisms are in place, with restricted access to different user roles
 If you work from home, you are advised to better lock down and protect RDP connections
 Use strong passwords to avoid brute force attacks and activate multi-factor authentication where it’s possible
 Have different passwords on different accounts (official and personal).
 Not only Windows but also Linux servers are targeted.
We also remind all internet users to:
Update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
 Users can their product installations manually by choosing Help > Check for Updates
 The products will automatically, without requiring user intervention, when s are detected and users are reminded to always restart their devices to apply the s. And also all internet users are reminded to:
 Be security conscious of what they do online these days because phishing attacks are rampant and currently most being used by hackers to install malware in devices (phones & laptop) and steal sensitive personal/institutional information
 Do not provide personal information to any unsolicited requests for information, only provide personal information on sites that have https in the web address or have a lock icon
 Think before they clink on any link or attachment in emails or on internet
 Verify well the sender email address and email subject, and if you suspect youve received phishing bait, immediately inform the IT team.

Affected users should: contact RW-CSIRT: Call 4045 or write to security@risa.gov.rw

References or Ransomware Details:
https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-educationand-software-sectors
https://www.bankinfosecurity.com/tycoon-ransomware-targets-windows-linux-systems-report-a14395
https://threatpost.com/tycoon-ransomware-unusual-image-file-tactic/156326/
- Previous Alert – New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks
- Next Alert – New Exim Mail Transfer Agent Vulnerability
list