Archive for June, 2019

Rewterz Threat Alert – Point-of-Sale Breach – Indicators of Compromise

Severity

Medium

Analysis Summary

A malware sample from the recent compromise of a North American hospitality merchant and identified the malware as a variant of the Alina Point-of-Sale (POS) malware family. Alina dates back to at least 2013, and is one of many malware strains that possesses a Random Access Memory (RAM) scraper, which is specifically designed to steal payment account information from the memory, or RAM, of the targeted system.

Impact

Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 176633d74a4a93fe0a76d59175ce54bc
  • 02783a013d8d65e38c13dcc02f3e689e3c7f2c71
  • 0ae4740e74f7350adb13b23e5a2094b2821aafb49ec122a789b1e98ee93458fd
  • b62b0a7907bec6f7dd0cc88854fbd407
  • 1f62704a9f9ea87d3f8dd0f296bd602294168632
  • c0b4ab7a897102ceea5ce82a36018cb5d20806dd47db61484c4ea8e331a423c7
  • 3b016d76fc60cc9c46da6fa10efd0315
  • 93c33ae5035bee6da2bf10784df1b8d32db416f9
  • 804559ea57381bd6c2301d0c9393cf3768e54455ece74acdb99bb307f80494eb
  • 97a95075ec7dc0edac17864cb1ba5a5d
  • 985bff8d5a8346fc514048fd25920811f602adb0
  • 83e3df5ec961ce9b24588ba95025ce94e34c319a8afa30fab2b7cca10c0ef904
  • f49c6afd16afcc5507e0aa7acb64f06f
  • 43d80e5f8416185473dcaf83cb7f160d1eceefd2
  • c7d23247432db58196e46661d9abe440a36d478fe9142da1ed73c37978e905c0
  • 17777257e2bf877c5490619354b8116b
  • 6fdd747d03ac7d52fcb9f9e05c7d96214426ae4d
  • da4f5802f333e96e2263080e8b8cf50db25aaab98d883f85724df63ce7111e12
  • dca7c29a79d21bfe9081e4c227bdad79
  • 7ad0c94e3eeab05b5add22d9b1cf614848b06a13
  • 30feb4ec6cab08452f5fa15e6c07df09777b90c4557f23e5be56eed433278800
  • c84b393b2628ecd4df1b4f10913c6370
  • 1e3d0d2f7bc06aeda6a61a13e33013e025daa1aa
  • 6c6166c356ee2f92b32ad597edcdb34309ba4e7b281801b85fab95a6543a97db
  • cfba66f4ccdb5a0502ba90411c29803d
  • ada32f0903829e64ebd2dd57da5c5f34cb83183d
  • fd0e0f20ba1408080d0ff055aaac416a4ac53e958c0d2ec53de076787c125272
  • dd6e1bc77e1b0ad291126ed4175ba48d
  • 968b8b8926ec1514dc053d8a29b41bcabada6825
  • c01a7be3a05a1971acffea1e8399f18ed627277321236a497700bbf32c08ec3c
  • 07420893a9136686d9040b9c3fe7249d
  • edf27025d326ea84fae1ef3925823d7a91f5b9d6
  • 23668f38b9a10859302070a606cabd313e1b84ed5be81bd26c2d9bda29ebffa9
  • d000bd7c56811eec4067a4b7401bcb38
  • f5e89c72f62ea9a51161b2e1407c719903308e41
  • c55b2f3b67108a58c4cb81c3550115956cb07139e39a37ce9eb57ff4fb41d832

Remediation

Block all threat indicators at your respective controls.


Rewterz Threat Alert – HTML Phishing Leading to Trickbot

Severity

Medium

Analysis Summary

Several phishing campaigns leading to Trickbot where the attackers are base64 encoding the maldocs and delivering them as html attachments.

Impact

Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 7bc0c27aba7232e66fe7c6bddfa2e97f
  • 43ce46c6730a636bde66983af895e5d6279785fa
  • 59b8bcbbe9b41f410d2439d0645289634f440018a70a6ef9e7491f358afd5660
  • 7381e87d870b7cd3168924ef83f4bf67
  • 971c096b3e9072d3aab1f30c8f86b79c9c5c0ee4
  • dec9fd1ca8c6ebf7571999715946d03a4125a8d4b4b5185a0d828f82354a211c
  • e082f8d1e21e44821d5eb09d2917f349
  • 3359412f96be45db34b6b43f66245aa437a5e964
  • 652f1dd04a92e6f777a289bbc83877f3ae9b8426c2cdaec95401d068b8d25d78
  • 61410b6c6941833f3b6675f5a6ce2d69
  • 2e160ce3a257bb72371e8775d48bc68f05a0face
  • 29cbeb2659870605d65271a44cc0ae91985f4acffffd0d2bccf74549c5fa80b5
  • 150e0ce3eb588b0d6c92e08a2a3a7f37
  • 99e2dedd4fe7c60ed84655c43a0aaca99099b6c6
  • e662a8f3a8238b1fbc0f170393a6813fd44f5432d3a9e10675bc5b0eeb5b7625
  • 15654efd345f73fc7f973d9a7c696821
  • 409b6e803409574620194e0ebaa6416ad95123ca
  • 0562ffd6144deb76197444ef0726e0c7d3e05b393f8b77a3f2ab5f4d0bb158dd
  • 1ec58bca3d55db0552a110066daf2370
  • 01a0b3f06c5517c3368eee346e6403daf6b4891a
  • 9cb3076e3cd427745fbce9e59ba84ef3687f128e5c48174ef911c72cba9df7be
  • 580287ab42f19ac102da18f52b4342b1
  • 6ce3f2fe95bd4d4637d78b5d09c95a37e35c5138
  • 7307a1139470b75c81e5d0b4071e3cd7a6608850d8d0771a31e4bb0598de7eb0
  • bab9ae91f22f2b4f7fa574f2e0197dab
  • bb838bdc70a954ad66af4103a125d379b8e739f7
  • 36bec4967c97a28485067f48103e2f0e91e6f4894d8f453207cb37326cdb72a1
  • 39e82b9c7f66b1f2182d9c2469ef529b
  • 4068ddd566418ac61a3aea56c37758db2fec0a0b
  • 53ce6bbf04c673a7ba7dc00d7191fc6ed67db82c8043942b355bfe175a8dccc9

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments by unknown senders.

Rewterz Threat Advisory – Industrial controls ABB CP651, CP635 HMI System Access Vulnerability

Severity

High

Analysis Summary

CVE-2019-10995 , CVE-2019-7225

The ABB CP651 HMI component implements hidden administrative accounts that are used during the provisioning phase of the HMI interface.

Impact

Unauthorized system access

Affected Vendors

ABB

Affected Products

CP651 HMI

Remediation

Vendor recommends to apply the update

ABB CP651 HMI: New version of PB610 Panel Builder 600 v2.8.0.424, which is provided via Automation Builder 2.2 SP2

ABB CP635 HMI : New version of PB610 Panel Builder 600 v2.8.0.424, which is provided via Automation Builder 2.2 SP2


Rewterz Threat Advisory – CVE-2019-10979 – ICS: SICK MSC800 vulnerability

Severity

High

Analysis Summary

The affected firmware versions contain a hard-coded customer account password.

Impact

  • Reconfiguration settings
  • Disrupt the functionality of the device.

Affected Vendors

SICK

Affected Products

MSC800

Remediation

Vendor recommends affected users upgrade to the latest firmware version (v4.0).


Rewterz Threat Advisory – Industrial Control ABB PB610 Panel Builder 600 Multiple Vulnerabilities

Severity

High

Analysis Summary

CVE-2019-7225

The ABB CP635 HMI component implements hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool “Panel Builder 600” to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials.

CVE-2019-7226

The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions.

CVE-2019-7227

The IDAL FTP server fails to ensure directory change requests do not change to locations outside of the root FTP directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory.

CVE-2019-7228

The IDAL HTTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.

CVE-2019-7230

The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.

CVE-2019-7232

The IDAL HTTP server is vulnerable to a stack-based buffer overflow when a large host header is sent in a HTTP request. The host header value overflows a buffer and can overwrite the Structured Exception Handler (SEH) address with a large chunk of data.

CVE-2019-7231

The IDAL FTP server is vulnerable to a buffer overflow when a large string is sent by an authenticated attacker. This overflow is handled, but terminates the process.

Impact

  • Arbitrary code execution
  • Unauthorized System access

Affected Vendors

ABB

Affected Products

PB610 Panel Builder 600

Update to version

PB610 Panel Builder 600 v2.8.0.424


Rewterz Threat Advisory – Industrial control Advantech WebAccess/SCADA Multiple Vulnerabilities

Severity

High

Analysis Summary


CVE-2019-10985

A path traversal vulnerability is caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage this vulnerability to delete files while posing as an administrator.

CVE-2019-10991

Multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10989

Multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10983

An out-of-bounds read vulnerability is caused by a lack of proper validation of user-supplied data. Exploitation of this vulnerability may allow disclosure of information.

CVE-2019-10987

Multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10987

Multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10993

Multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.

Impact

  • Information disclosure
  • Deletion of files
  • Remote code execution

Affected Vendors

Advantech

Affected Products

WebAccess/SCADA

Remediation

Advantech has released Version 8.4.1 of WebAccess/SCADA to address the reported vulnerabilities.

https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download


Copyright © Rewterz. All rights reserved.