Cyber Security Threat Summary:
“A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted. Numerous victims in the Zimbra forums report finding suspicious JSP files uploaded to the /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders. These files were found under different names, including info.jsp, noops.jsp, and heartbeat.jsp [VirusTotal]. Startup1_3.jsp [VirusTotal], which BleepingComputer found, is based on an open-source webshell” (Bleeping Computer, 2023).

Unlike other ransomware strains, MalasLocker does not append encrypted files with an file extension. Rather it will append a message stating “This file is encrypted, look for README.txt for decryption instructions.” README.txt in this case is the ransom note left behind by the strain. MalsLocker’s ransom note contains either an email address to contact the threat actors or a TOR URL that includes the most current email address for the group. “The note also has a Base64 encoded text section at the bottom that is required to receive a decryptor, which we will go into more detail later in the article. While the ransom notes do not contain a link to the ransomware gang’s data leak site, Emsisoft threat analyst Brett Callow found a link to their data leak site, having the title, ‘Somos malas... podemos ser peores," translated to, "We are bad... we can be worse’” (Bleeping Computer, 2023).

The data leak site currently holds stolen data for three victim companies and the Zimbra configuration for 169 other organizations/individuals.

Security Officer Comments:
It is unclear how the actors are gaining access to Zimbra servers. This could be due to the group exploiting known vulnerabilities in Zimbra which is a common tactic used among ransomware gangs. As of writing, researchers have yet to uncover the encryptor used by MalasLocker. They did note that the Base64 encoded block inside the ransom note decodes to an Age encryption tool header which is required to decrypt a victim’s private decryption key.

“The Age encryption tool was developed by Filippo Valsorda, cryptographer and Go security lead at Google, and uses the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms. This is an uncommon encryption method, with only a few ransomware operations using it, and all of them not targeting Windows devices” (Bleeping Computer, 2023).

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly:
This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan:
There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work:
Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks:
There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com