Lilu (also known as Lilocked), a new strain of ransomware, has now infected thousands of Linux servers since mid-July.
Chris Gerritz, the co-founder of Infocyte, a pioneer in proactive threat detection and incident response, is available to comment on these attacks. Chris, the U.S. Air Force CERT?s former chief of defensive counter-cyber operations, notes:
- ?The ransomware itself is not different from other versions of ransomware like Ryuk except that it targets Linux-based servers and locks files with the lilocked extension (hence the name). The 6,000 servers reported as affected were reported by Google simply because Google had indexed .lilocked files on 6,000 public web servers. As a result, it is assumed there are many more affecting and being affected.
- The entry vector is still unconfirmed but there are several severe vulnerabilities that were reported recently in the sub-components of all these web servers. In particular, a vulnerability in the Exim Email Transfer Agent used by 57% of all websites (over 519K web servers). Such vulnerability was found earlier this year and used by hackers nearly immediately. This latest one: CVE-2019-15846 reported on September 2, 2019, allows a remote attacker to execute programs (like Lilocked ransomware) with root privileges.
- “If your Exim server accepts TLS connections, it is vulnerable” – CVE-2019-15846 (2019-09-02)https://exim.org/static/doc/security/CVE-2019-15846.txt
- “Just three months ago, Exim also patched a severe remote command execution vulnerability, tracked as CVE-2019-10149, that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers.” –https://thehackernews.com/2019/09/exim-email-server-vulnerability.html
- Even though a patch has been made available, we will see many more compromises like this using this vulnerability. Because the vulnerability allows any arbitrary program to be run by a hacker, web server admins should inspect their servers for backdoors as well which won’t be as visible as this ransomware.