InfoSec News Highlights - EXTRABACON ASA Exploit Updated, Malware on WikiLeaks, and New Ransomware Based on EDA2
The EXTRABACON exploit from the Shadow Broker dump has been ported to the latest versions of CISCO’s ASA’s. You may recall EXTRABACON exploits a buffer overflow vulnerability in SNMP on the firewalls. The attacker does need to know the SNMP community string though. Luckily, Cisco has started publishing fixes yesterday.
Beware of what you are downloading from WikiLeaks. A recent review of the documents being hosted by WikiLeaks has revealed the site is hosting over 300 confirmed pieces of malware. It seems that if WikiLeaks did at a minimum a simple virus scan of the dumps before uploading them 80 plus percent of the malware could have been purged.
New Ransomware Based on EDA2
We’re seeing at least two new malware variants this week based on the open source ransomware code EDA2. The first, Fantom, disguises itself as a windows update displaying a fake Windows Update screen while it runs. Exiting the update will close the fake window, but the encryption process continues to run in the background. Fantom creates two batch files that are executed when the encryption is finished. Which delete the shadow volume copies and fake Windows Update executable. Files are appended with the .fantom extension and a ransom note is left in each directory it hits. The authors, unfortunately for us, updated the code so that the usually methods of getting the keys for EDA2 based ransomware won’t work. The second piece of ransomware is a bit more tongue in cheek. Avira identified the new malware uploaded to virus total. It uses the graphics from the F-society on the popular show Mr. Robot on USA.