Cyberthreat Intelligence Feed
One of the hot conversations in the dark side of the web now is the Princess Ransomware Retaliation which is being cooked from RaaS or Ransomware as a Service portal.
This is coded in C procedural language which is designed to damage both Desktop and Server for Windows Operating Systems. The size of the file will not be exceeding 300 KB. The rapid encryption will be used is AES algorithm on every connected disk media.
The ransomware will replace the extensions of all processed files with a random 4-6 character value. Once files are decrypted, it will then connect to the Command & Control (C2) and will generate a unique BTC address for ransom payment for each individual infection.
And it is fully undetectable with absolute scantime purity which bypassing most proactive protections including the latest "Next-Gen" Antimalware of 2018. This is an upgrade of the 2016 version and more destructive as it seems.
Next Action Plan
Gather info on the latest version and hoping to get a sample file for IOC Hash for proactive defense of the community.
Source Credit: Layer 5 of the Web
Security Risk : MEDIUM
Exploit Title: mySCADA myPRO 7 - Hardcoded FTP Username and Password
Exploit Author: Emre ÖVÜNÇ
Vendor Homepage: https://www.myscada.org/mypro/
Software Link: https://www.myscada.org/download/
Tested on: Linux, Windows
I. Problem Description
In the latest version of myPRO (v7), it has been discovered that the ftp server's -running on port 2121- username and password information is kept in the file by using reverse engineering. Anyone who connects to an FTP server with an authorized account can upload or download files onto the server running myPRO software.
Hardcoded username:password = myscada:Vikuk63
The author found that what ports myPRO listened to, you can get information used by the netstat command about the ports and the services running on it. When you install myPRO, you can see many ports open. The vulnerability works on all supported platforms.
In his first research on the Windows OS, myPRO has many process and he noticed that ‘myscadagate.exe’ is listening to port #2121.
The author found that they put the username and password (myscada:Vikuk63) in the source code. He was able to obtained access by connecting to port 2121 of myPRO's server with any FTP client.
As a workaround you need to restrict port 2121 access from the outside. There is no permanent solution for the vendor because there is no patch available.
Source: Layer 5 of the Web