CYBER NEWS

CVE-2017-0213: Iranian Hackers Target Insecure RDP Servers With Dharma Ransomware

Computer security experts have discovered that a previously unknown hacking group from Iran are using the CVE-2017-0213 exploit to target RDP servers and implant Dharma ransomware samples. This is one of the most popular virus family and numerous strains of it are created on a daily basis. These attacks represent the ongoing attempts of various hacking groups to continuously use this virus in their campaigns.




CVE-2017-0213 Exploit Used To Deliver Dharma Ransomware To RDP Servers

Security researchers have discovered that hacking groups originating from Iran are using a remote exploit to target vulnerable RDP servers. These are services which are used to establish a remote connection – they are widely used by support team and workers that logon onto company networks. The advisory is tracked in CVE-2017-0213 which itself is described by Microsoft as an issue in the Windows COM feature. Unpatched operating system versions allow the hackers to run arbitrary code with elevated privileges.

The hackers have focused on delivering different strains of the Dharma ransomware, their cooperative actions have resulted in the detection of multiple security incidents around the world. The investigation into this has revealed that the collectives originate from Iran. Different samples have been created by hacking groups and they will execute the detailed behavior sequence.

Related:
Google Drive vulnerability could allow threat actors to dpread malicious files masqueraded as legitimate documents or images.
Google Drive Vulnerability Could Lead to Downloading Malware

Dharma ransomware samples can be configured both to edit system settings, install other threats and process users data. Finally they will create text ransom notes and append a prerecorded extension to the compromised data. Through this note the hackers can blackmail the victims into paying cryptocurrency assets.

This attack campaign features demands between 1 and 5 Bitcoin which is low compared to other similar attack campaigns. The research shows that the likely attack method is an automated network attack which will reveal if there are any vulnerable hosts in the selected networks. A brute-force program will be programmed to automatically deliver the Dharma ransomware if an intrusion is made.

Related:
.rec virus file - what is it? The virus is known as Dharma ransomware which encrypts files and demands a ransom. .rec virus file uses enabledecrypt@aol.com
.rec Virus File (Dharma Ransomware) – How to Remove

This hacking attack reveals once again that it is important to always apply the latest security patches, especially ones concerning the operating system.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...