An investigation into a ransomware incident on a Windows Server 2012 machine operating as an SFTP-only server revealed a complex attack that blended remote code execution, persistence tactics, and even a detour to a pornographic site.
The server in question was compromised due to a vulnerability in Telerik UI for ASP.NET AJAX, specifically CVE-2019-18935, which allows unauthenticated attackers to execute arbitrary files. This version lacked critical security updates and consequently permitted an attacker to upload malicious files.
Within the application logs, the first indicators of compromise emerged about twelve days after the first exploitation attempt. The attacker successfully uploaded a file named wondershare.tmp.tmp, later leading to the exploitation of a DLL fetching via PowerShell from a malicious domain.
The manipulation of Windows Defender exclusions effectively allowed the attacker full access to the file system without detection.
The attacker swiftly created a new local admin account named "Depeloyadmin" (noting the typo). To maintain persistence, they modified the Winlogon Userinit key to execute a rogue instance of userinit.exe from the temp folder. A firewall rule enabling RDP access was also established.
Approximately ten days later, the attacker revisited the server. They exploited the same Telerik vulnerability again, this time introducing Ngrok.exe for tunneling their connections, allowing for outbound traffic from the compromised system to an external server hidden behind a legitimate connection.
Upon regaining control, the attacker initiated a rapid encryption of files, effectively renaming thousands with a .sil3ncer extension. Ransom notes were dispersed across various directories, instructing the victim to contact them via Telegram for file decryption.
Evidence from browser history further hinted that, just before the ransomware execution began, the threat actor had visited Pornhub, possibly to obscure their tunneling traffic during the attack.
As a final measure, the attacker ran a cleanup script to erase traces of their presence, including the account they created, and logged off the remote session, leaving behind minimal logs for forensic analysis.
This case exemplifies how a known vulnerability can still provide a gateway for attackers if proper security hygiene is not maintained. Organizations should proactively manage their security posture to prevent similar incidents from occurring in the future.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
