GOT(IT) #27: GrandCrab ransomware campaign, Total Meltdown working exploit, plus the Drupalgeddon

A week of warnings! This time we have a recap full of flaws, exploits, and malware, so keep your eyes open and see what could affect your network.

GOT(IT) #27 is here with a lot of must-patch and must-keep-an-eye-out-for news. It’s the week of revivals. Remember the Drupal armageddon? The Meltdown exploit? What about GrandCrab? Well, they are all back!

Spam Campaign Infects Victims with GrandCrab Ransomware

gandcrab-phishing-emailThe security company Fortinet found three new samples of the GandCrab ransomware, which are being distributed through a single massive spam phishing campaign.

The strategy this campaign relies on mostly focuses on trying to convince the user that he has received a payment receipt, tickets or an invoice that comes ‘attached’ to the email itself.

However, what the receiver really gets is a JavaScript attachment which when executed downloads one of the three GandCrab variants. Targets range from US-bases servers, to Chilean and Indian ones; and if infected, the victims are directed to a Tor link where they can buy the decryption key to recover their files.

Unfortunately, there’s no decryption tool available like in prior editions, so Fortinet suggests you keep an online backup of your data just in case one of your users slips into the trap.


First Total Meltdown Exploit Bug Released


Meltdown and Spectre caused quite a ruckus in the processor industry, but after a few patches and security quick-fixes, everyone seems to have forgotten about them. Well, they shouldn’t!

At the moment, Microsoft’s announced the patch was exactly that, a patch, and today we get to know why: it created a bigger problem that’s now being called Total Meltdown. Sounds scarier, right? Well it is.

While Meltdown allowed unprivileged apps to read the kernel memory, this new exploits enables any process to read and write any memory in the system. The researcher XPN shared a working proof-of-concept code that successfully executed the exploit and posted it on GitHub.

This extremely dangerous exploit affects only Windows 7 or Server 2008 R2 64-bit systems that applied Microsoft’s Meltdown patch back in January, February, and March, but not the April one. What to do? Update! Get the April patches KB4093118 or KB4088881 ASAP on your systems.


Drupal Code Execution Flaw Found, Again


The last month wasn’t that great for Drupal at all. Three critical vulnerabilities were discovered in the last 30 days, once one was patched, a new one popped-up. It is time to, yet again, patch your websites.

A critical Remote Code Execution (RCE) vulnerability has been discovered while reviewing the prior flaw, known as Drupalgeddon 2. The popular CMS has been under heavy fire since these reports and the Drupal team has been working hard on a follow-up patch for the latest RCE (CVE-2018-7602).

Minor details were given, but the communication sent by Drupal claimed this attack could compromise a website completely and hand its control over to the attacker. It’s crucial to update your websites and install the prior Drupalgeddon 2 patches before updating to the latest ones for the fix to work:

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.


 What’s your score by now? One out of three? Two? Hopefully, you’re not getting a strike, with three vulnerabilities to patch!

Nicolas Poggi

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.