Joint CyberSecurity Advisory Alert on AvosLocker Ransomware

Description

FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world.


Why is this Significant?

This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.


What is AvosLocker?

AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".


On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them.


AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.



How Widespread is AvosLocker Ransomware?

The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".



What Vulnerabilities are Exploited by AvosLocker?

The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.


FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and


FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.


What Tools is AvosLocker Known to Utilize?

The advisory references the following tools:

  • Cobalt Strike
  • Encoded PowerShell scripts
  • PuTTY Secure Copy client tool "pscp.exe"
  • Rclone
  • AnyDesk
  • Scanner
  • Advanced IP Scanner
  • WinLister


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:

W32/Cryptor.OHU!tr.ransom

W32/Filecoder.OHU!tr.ransom

ELF/Encoder.A811!tr.ransom

Linux/Filecoder_AvosLocker.A!tr

PossibleThreat


FortiGuard Labs provides the following AV coverage against ProxyShell:

MSIL/proxyshell.A!tr

MSIL/proxyshell.B!tr


FortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:

MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)

MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)

MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)

MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)

FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure (CVE-2018-13379)


FortiGuard Labs provides the following IPS coverage against CobaltStrike:

Backdoor.Cobalt.Strike.Beacon


All network IOCs are blocked by the WebFiltering client.