Threat Signal Report

Joint CyberSecurity Advisory Alert on AvosLocker Ransomware

description-logo Description

FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world.


Why is this Significant?

This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.


What is AvosLocker?

AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".


On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them.


AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.



How Widespread is AvosLocker Ransomware?

The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".



What Vulnerabilities are Exploited by AvosLocker?

The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.


FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and


FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.


What Tools is AvosLocker Known to Utilize?

The advisory references the following tools:

  • Cobalt Strike
  • Encoded PowerShell scripts
  • PuTTY Secure Copy client tool "pscp.exe"
  • Rclone
  • AnyDesk
  • Scanner
  • Advanced IP Scanner
  • WinLister


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:

W32/Cryptor.OHU!tr.ransom

W32/Filecoder.OHU!tr.ransom

ELF/Encoder.A811!tr.ransom

Linux/Filecoder_AvosLocker.A!tr

PossibleThreat


FortiGuard Labs provides the following AV coverage against ProxyShell:

MSIL/proxyshell.A!tr

MSIL/proxyshell.B!tr


FortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:

MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)

MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)

MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)

MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)

FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure (CVE-2018-13379)


FortiGuard Labs provides the following IPS coverage against CobaltStrike:

Backdoor.Cobalt.Strike.Beacon


All network IOCs are blocked by the WebFiltering client.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.