Back in March, cybersecurity analysts reported a recent malware campaign using phishing which they were very worried about. Although the malware used in this campaign was first discovered in 2018, it’s now, in the past few weeks, when infection has proliferated, to the extent that the number of infected systems already exceeds 90,000 plus 2,000 servers, which according to data from remote monitoring represents 600% growth. This malware is called Purple Fox. But, what’s changed recently to enable infection to spread so fast?

Botnet exploiting vulnerabilities_

Previously, Purple Fox was distributed through exploit kits and used email as its main infection vector. Now a functionality has been added that enables this malware to scan and infect Windows-based systems and it also uses brute force to break into servers that don’t have particularly strong passwords and hashing. It manages this by leveraging the vulnerabilities found in older versions of Windows Server, specifically, in the 7.5 release of Internet Information Services (IIS) and servers that execute Microsoft RPC, Microsoft Server SQL Server 2008 R2, Microsoft HTTPAPI httpd 2.0 and Microsoft Terminal Service.

Once the system is compromised, the malware closes the firewall ports of this infected system and starts to scan for other connected vulnerable systems with weak passwords. It becomes part of a botnet list operated by the hackers that can then be used for other purposes: such as infecting even more systems or carrying out DDoS attacks using the thousands of infected systems against organizations that they’re targeting either for economic or other reasons.

Strong passwords and patches_

Cybersecurity analysts flagged up the fact that a number of servers infected by Purple Fox are owned by small and medium-sized enterprises (SMEs) which had weak passwords and didn’t have sufficient protection measures and updated systems. However, some big companies have also been hit. The fact that big organizations don’t have an adequate password policy is a more common error than one might expect: we addressed this previously in the blog with the case of the credit agency Equifax, where the data of 147 million people were compromised, thanks to server credentials that were as basic as entering the term “admin”.

This can lead to very serious cases, indeed one of the best examples of a recent cyberattack on critical infrastructure was caused by easy-to-crack passwords: hackers accessed the PLC’s computer at the Oldsmar Water Treatment Plant in Florida thanks to a weak password in the remote access program TeamViewer that this utility company used.

Nonetheless, having strong passwords isn’t enough and organizations must also be equipped with advanced cybersecurity tools that enable them to manage patches easily, this includes Windows servers, their own operating systems and third-party applications in workstations. Cytomic Patch is a complementary security module for IT operations teams that provides consultancy and easy-to-use management of these patches. This enables full visibility in real time for elements such as:

  • Security status of the software vulnerabilities.
  • All available critical updates.
  • Patches still not installed.
  • EOL software that’s no longer compatible in order to look out for weaknesses.
  • Vulnerable groups and profiles that have been predefined.

Moreover, the IT teams and SOCs can also access the exploit codes and a  log of the critical and recent vulnerabilities. This enables organizations to reduce the attack surface and prevent threats like Purple Fox reaching the endpoint.