Catastrophic OPSEC (Operational Security) Failures
Nokoyawa
Being one of the newer ransomware groups on the block Nokoyawa resembles the Karma Ransomware operation.
Once a network is breached by this group they encrypt the contents and leave a ransom note for the system administrators which contains the web address for the TOR Site. This site is where the victim can go and chat with ransomware affiliates and try to negotiate for the decryption key.
Looking at the web TOR url there is an assumed unique identifier for each victim they attack.
hxxp://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd[.]onion/pay?id=qruytnwpfyfjozignatcmtblnhtcqgaa
Victims visiting the chat window are presented with a way to upload their encrypted and the threat actor will decrypt one or two of the files as a proof of concept that their decryption method works.
The ransomware affiliate(s) who setup the web portal made a major security mishaps that blow their cover.
Blast from the past, 1999, Directory Traversal
Looking at the URL of the shared files we see that the link has several HTTP Parameters.
download?id=qruytnwpfyfjozignatcmtblnhtcqgaa&file=gbrberodgkmsqplz.NOKOYAWA&type=download_upload
If one tampers with the file= parameter one is able to test for directory traversal.
download?id=qruytnwpfyfjozignatcmtblnhtcqgaa&file=../../../../etc/passwd&type=download_upload
De-Anonymization
Using the above command we can have the web server traverse up past the web root directory and actually obtain the /etc/password fine. This file is very sensitive and should be protected by both user permissions and acess control lists. Given that the ransomware gang made a basic data security mistake when configuring the web server, the directory traversal actually works.
What this means is that the web server is potentially running as a root user instead of a web server account.
To de-anonymize things it is as simple as pulling the /var/log/auth.log* and searching for successful remote login connections.
Looking at the above picture, we can see that there are 2 main ip addresses that are used by the admin of the ransomware server. The IP’s are the following:
- 5.230.29[.]12
- 176.119.0[.]195
Looking deeper into this IP Addresses we can determine they belong to GHOSTnet GmbH. This company is a Virtual Private Server (VPS) provider.
Normally cyber criminals use such VPS servers as a network proxy, or a bouncing off point, in order to mask their true location.
It is important to note that the 176 IP Address belongs to AS58271, which is listed under Tyatkove Oksana Valerievna. It is possible that the operator forgot to use the VPS server to mask their IP, but instead corrected directly to the server exposing their actual location
Administrative Login Portal
Lastly we are able to see that there is an administrative login panel for the server. It is possible that through credential disclosure an external attacker can take control of this ransomware infrastructure once they login successfully.
Leave a Reply