Storm in a teacup - or how "NextCry" tried to target Nextcloud

During the last week a message was spread that pricked up the ears of many Nextcloud-users: According to BleepingComputer.com, a ransomware used a three week old security flaw in NGINX and PHP-FPM to deliver its sinister load.

vor 18 Tagen

Latest Post Storm in a teacup - or how "NextCry" tried to target Nextcloud by Oliver Pifferi

During the last week a message was spread that pricked up the ears of many Nextcloud-users: According to BleepingComputer.com, a Python-based ransomware used a three week old security flaw in NGINX and PHP-FPM to deliver its sinister load, targeting Nextcloud-instances and encrypting the data contained therein. It was about time that - once again - discussions rose up quite fast wether Linux or Nextcloud as a famous private cloud-solution were now the aim for digital villains. A little bit too fast if you ask me once you forget to see the other side of the coin.

In the age of modern Internet, many things aren't as bad as they look. To be more specific, the news I saw spreading throughout some German IT-pages were really shaking the reputation of Nextcloud to the very foundations: A private cloud, forked from ownCloud three years ago, with Linux as its foundation, should suddenly be a weak and "worthy" target for ransomware encrypting its data? This was an accusation with a certain brisance but - finally - disappeared into Nirvana just to anticipate my final conclusion of these words here.

(Yet) unknown Malware-Code (c) Bleeping Computer

The story began when a Nextcloud-user named xact64 started a thread in the Bleeping Computer-forum. While syncing his data he realized that his data was seemingly renamed and encrypted. This resulted in a fast reaction and the isolation of the server running his Nextcloud-instance. Michael Gillespie of Malwarehunterteam analyzed a sample file provided by xact64 shortly afterwards, giving the ransomware the name of "NextCry". The code itself was based upon a Python-script which cloaked itself by using the pyinstaller and resided in a Linux ELF-binary. While continuing his research, Michael Gillespie was able to explore that an AES-algorithm with a 256 Bit-key was used to encrypt the files. The key itself was protected with a 2048 Bit RSA-key and, in malicious "cooperation", hidden deep within the malware-code itself.

Malware Code "NextCry" (c) Bleeping Computer

The rest was business as usual: Targeted users were advised to pay 0,025 BC (about 210 US-Dollars) once they tried to read the encrypted files. According to the status quo of today, no transactions to the given BitCoin-wallet were monitored so far which may also be caused by the minor spreading of this malware. Another user of the Bleeping Computer-forum dissected the Python-script even more and discovered that it was especially targeting Nextcloud-installations. By reading the contents of the config.php-file the script was able to pick out system-variables which exposed - for example - the location of the important "data"-directory where Nextcloud stores its user-specific files. As soon as the script had finished its work, a recovery of the encrypted files with Nextcloud's standard tools like the Recycle Bin wasn't possible anymore - according to the current state of research.

Malware Code "NextCry" - config.php (c) Bleeping Computer

After further inquiry at Nextcloud, the assumption from the very beginning turned out to be correct: Not Nextcloud but the base system (or at least a component below this layer) caused the problem. Some weeks ago, the folks at Nextcloud already announced a security flaw in connection with the less used NGINX-webserver and PHP-FPM (FastCGI Process Manager)-module. The security flaw entitled CVE-2019-11043 was indeed the gateway for the malicous script as the company already told on October 24th, 2019. Users who already listened to the advice in the most recent past weren't targeted by "NextCry" - the recommended update to PHP 7.3.11 or PHP 7.2.24 took care of this security issue. According to Jos Poortvliet, Marketing Communications Manager at Nextcloud, just two (2!) private servers out of 300.000 were harmed: You will find an official statement to this topic here by the way.

My final conclusion: Even if some of the competitors would have liked to see Nextcloud's reputation struggle (and already broadcasted this news in some more or less public ways), it is not the source code of Nextcloud that advantaged this security flaw. It is the operating system below serving as a base for any web application. You'll find the same scenario in many other solutions and combinations, not caring if they are distributed as closed or Open Source: Once you are using a system that is lacking the lastest security updates, you are bearing the risk that some of the open security flaws will be exploited at some time.

The whole case therefore was - according to my opinion - just a storm in a teacup. It would have been good if the one or other publication had made its homework (and research) before putting such gonzo headlines into the World Wide Web. In the end nothing compares to an actual and patched system, a backup (for any emergency reason) and the solid awareness that also Linux-systems may be coming into the firing line of digital villains!

Deutsch

Auf der Suche nach der deutschen Version dieses Artikels? Hier ist er!

Oliver Pifferi

Published vor 18 Tagen