Rewterz Threat Advisory – Netwalker Exploits Vulnerabilities to Target Corporate Networks

Severity

High

Analysis Summary

NetWalker (also known as Mailto) is the name given to a sophisticated family of Windows ransomware that has targeted corporate computer networks, encrypting the files it finds, and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. Discovered in August 2019, NetWalker has gathered all the attention required to scare off corporate clients and has been targeting organizations in targeted attacks. NetWalker operates as a closed-access RaaS — ransomware-as-a-service portal. Different groups and hackers sign up and go through a vetting process, after which they are granted access to a web portal where they can build custom versions of the ransomware.

Tools Used By NetWalker

• LaZagne
• Mimikatz
• NetWalker
• NL Brute
• PsExec
• pwdump
• SoftPerfect Network Scanner
• TeamViewer
• Windows Credential Editor

Vulnerabilities Exploited By NetWalker 

CVE-2020-0796

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVE-2019-11510

A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

CVE-2015-1701

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka “Win32k Elevation of Privilege Vulnerability.

CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. 

CVE-2019-1458

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2017-0213

Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when an attacker runs a specially crafted application, aka “Windows COM Elevation of Privilege Vulnerability.

Impact

• Remote code execution
• Files encryption
• Privilege escalation

Remediation

• Organizations should have signatures deployed in their IDS/IPS or EDR against these tools.
• Block the IoCs related to NetWalker ransomware. Find the latest IoCs Here and Here.
• Immediately update all vulnerable products to protected versions.