Computer security experts have discovered that a previously unknown hacking group from Iran are using the CVE-2017-0213 exploit to target RDP servers and implant Dharma ransomware samples. This is one of the most popular virus family and numerous strains of it are created on a daily basis. These attacks represent the ongoing attempts of various hacking groups to continuously use this virus in their campaigns.
CVE-2017-0213 Exploit Used To Deliver Dharma Ransomware To RDP Servers
Security researchers have discovered that hacking groups originating from Iran are using a remote exploit to target vulnerable RDP servers. These are services which are used to establish a remote connection – they are widely used by support team and workers that logon onto company networks. The advisory is tracked in CVE-2017-0213 which itself is described by Microsoft as an issue in the Windows COM feature. Unpatched operating system versions allow the hackers to run arbitrary code with elevated privileges.
The hackers have focused on delivering different strains of the Dharma ransomware, their cooperative actions have resulted in the detection of multiple security incidents around the world. The investigation into this has revealed that the collectives originate from Iran. Different samples have been created by hacking groups and they will execute the detailed behavior sequence.
Dharma ransomware samples can be configured both to edit system settings, install other threats and process users data. Finally they will create text ransom notes and append a prerecorded extension to the compromised data. Through this note the hackers can blackmail the victims into paying cryptocurrency assets.
This attack campaign features demands between 1 and 5 Bitcoin which is low compared to other similar attack campaigns. The research shows that the likely attack method is an automated network attack which will reveal if there are any vulnerable hosts in the selected networks. A brute-force program will be programmed to automatically deliver the Dharma ransomware if an intrusion is made.
This hacking attack reveals once again that it is important to always apply the latest security patches, especially ones concerning the operating system.