Archive for August, 2019

Rewterz Threat Advisory – CVE-2019-13526 – Datalogic AV7000 Linear Barcode Scanner Authentication Bypass vulnerability



Analysis Summary

The affected product is vulnerable to authentication bypass, which may allow an attacker to remotely execute arbitrary code.


HTTP authentication bypass

Affected Vendors


Affected Products

AV7000 Linear Barcode Scanner


Datalogic reports a new version of the firmware was released to mitigate the reported vulnerability.

Please contact Datalogic for the newly released firmware.

Rewterz Threat Advisory – CVE-2019-9569 – Delta Controls enteliBUS Controllers Code Execution vulnerability



Analysis Summary

The affected products are vulnerable to a buffer overflow condition due to the lack of input validation, which may allow an attacker to remotely execute arbitrary code.


Execution of arbitrary code

Affected Vendors

Delta Controls

Affected Products

enteliBUS Controllers


Delta Controls recommends users upgrade from enteliBUS 3.40 firmware to Version 3.40 R6 build 612850.

Rewterz Threat Alert – LYCEUM Targeting Energy Sector in the Middle East



Analysis Summary

A new group LYCEUM is found focusing on critical infrastructure organizations in the Middle East. It uses simple techniques to compromise targets and deploys post-intrusion tools. Operating since 2018 and having targeted South African targets, LYCEUM has now turned its focus to Oil and Gas companies in the Middle East since April 2019. Also referred to as ‘Hexane’, LYCEUM focuses on collecting information, rather than disrupting operations, according to security experts.

It was found that LYCEUM uses password spraying and brute-force attacks to compromise email accounts of individuals working for their target organization. The attackers send spear-phishing emails to executive level employees of the target organizations carrying malicious Excel spreadsheets that install DanBot – a remote access trojan (RAT) with basic capabilities.

LYCEUM uses the following tools in its attacks:

  • DanBot — A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files
  • DanDrop — A VBA macro embedded in an Excel XLS file used to drop DanBot
  • kl.ps1 — A PowerShell-based keylogger
  • Decrypt-RDCMan.ps1 — Part of the PoshC2 framework
  • Get-LAPSP.ps1 — A PowerView-based script from the PowerShell Empire framework

Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics detected to have been in use by attackers targeting Middle Eastern organizations.


  • Information Disclosure
  • Accounts compromise
  • Possible disruption of Industrial Processes

Indicators of Compromise

IP(s) / Hostname(s)

  • 62.113.207[.]181
  • 144.217.149[.]61
  • 75.87.185[.]45
  • 62.113.196[.]37
  • 104.149.37[.]44
  • 198.50.152[.]162
  • 164.132.181[.]82


  • bsolutions-cloude[.]com
  • cybersecnet[.]co[.]za
  • cybersecnet[.]org
  • opendnscloud[.]com
  • dnscloudservice[.]com
  • dnscachecloud[.]com
  • web-traffic[.]info
  • web-statistics[.]info
  • online-analytic[.]com
  • excsrvcdn[.]co

Malware Hash (MD5/SHA1/SH256)

  • a8f68c928f82edd8a28c0fd25e207929a7dbce23
  • 9df776b9933fbf95e3d462e04729d074


  • Block the threat indicators at their respective controls.
  • Do not respond to emails coming from untrusted sources.
  • Do not download email attachments coming from unexpected sources.
  • Always scan documents prior to downloading.
  • Implement Multi-factor authentication.
  • Conduct phishing awareness programs for employees.

Moving Ahead of Single-Step Password Authentication


Why are most Phishing campaigns designed to steal user credentials? Because credentials are the easiest key to entering an organization’s virtual premises, unnoticed. However, most users tend to believe that their password-protected systems are secure.

Account Compromises on Exponential Rise

Millions of passwords are compromised each day because cracking passwords is easier than launching sophisticated cyber-attacks. A website called HaveIBeenPwned tracks such compromised accounts where users can check if their accounts have been compromised. The website lists hundreds of millions of accounts that have been compromised in multiple breaches due to successful phishing attacks, or reuse of compromised passwords on other platforms. Below is an image of the website tracking latest breaches and compromises.


Another way passwords can be obtained  by attackers is by reviewing password history of users and guess the next password following the pattern that users use. For example, a user may change their password to the date of birth of a family member every time they change a password. Attackers may explore social media of targets as an open source intelligence to acquire DOBs of other family members for the next password guesses for that user.

Why Single Factor Authentication is Dangerous

The image above shows that millions of accounts have been compromised in data breaches. As a cherry on cake, most of these passwords are solely responsible for the security of respective devices. Single factor authentication is a very outdated way of protecting your assets in this age of technology.  Additionally, most users practice the habit of password reuse, i.e. they do not have unique passwords for every platform. They reuse the same passwords for multiple logins. Consequently, when the password is exposed or breached on one platform, it can be used to access all the other platforms where it is repeated. 


Single factor authentication poses a huge threat to the security of an organization. Once a legitimate password is acquired, attackers can easily get inside an organization using the single sign-in process without raising any suspecting eyebrows. If this happens, all the best network security procedures will go down the drain and attackers will be strolling inside an organization without raising an alarm. Stats show that many attack types have been successful using simple technology because no other authentication had to be provided at the time of unauthorized login. It is due to the insufficiency of these single sign-in processes that  Business Emails are often Compromised and plain text protocols are exploited.

• Business Email Compromise 

Password breaches and insufficiency of authentication processes often compromise business accounts on massive scale for financial profits. Business Email Compromise has been a known profitable attack over the past few years. It was reported in July 2018 that attackers made more than $12 million through these attacks in less than five years. Once the password was acquired for these accounts, attackers were able to access them without difficulty.

• Legacy Protocols 

Single sign-in is also dangerous when organizations need to use plain text protocols, aka legacy protocols. Unfortunately, organizations are bound to use single sign-ins at some instances where they use simpler technologies like legacy protocols such as SMTP because these were created in simpler times when Multiple Factor authentication wasn’t used. The bigger concern is, attackers are also aware of these limitations and are determined to suppress advanced protocols and authentication.  

Single Sign-in brings borrowed Vulnerabilities

 A paper by Sans institute states that organizations are now vulnerable to attacks due to factors other than their own security measures. While they continue to suffer from direct data breaches and spear phishing, they are also threatened by data breaches of third parties, which compromise these repeated passwords of users. Reused passwords aid attackers in targeting multiple platforms using one stolen credential. 

Having retrieved one password from a breach, attackers are guaranteed to try the acquired password for accessing other organizations too. 

How to Avoid Security Weaknesses Caused by Single Password Authentications

In order to avoid the vulnerabilities and security weaknesses that come along single step password authentications, users are advised to utilize the availability of resources like multi-factor authentication and password-less authentication. These ensure that your entire security is not dependent on a password. Even if the password is leaked or breached, attackers will still be unable to access your device or system if you have enabled multi-factor or password-less authentication. 

Utilizing Multi-factor Authentication

Multi factor authentication includes a username and password combination along with one more proof of user’s identity. It can be something that you have (a device that verifies the login attempt through a pincode/link that it receives) or something that you are (biometric verification like thumb print). There are other software-based MFA sources too, that collaborate with smart devices like phones and laptops.  
Most users avoid setting up multi-factor authentication because it involves an external device. Also, it’s a two-step authentication rather than one and it demands slightly more effort than single passwords. However, it’s about time that organizations start enforcing multi-factor authentication and spreading awareness against password reuse. 


Password-less Authentication

There are hardware devices that allow for storage of encryption keys to verify user identity. Technological discoveries also enable websites to implement stronger and password-less authentication to strengthen the security chain as a whole. Examples of common password-less authentication is facial recognition, iris detection, or thumb print reading also implemented in latest mobile phones and notebooks. Advanced desktop systems also support facial recognition to verify user’s identity.  

Since password compromises are getting easier with advanced phishing techniques, organizations should discard single step sign-in, discourage password reuse and implement at least Multi-factor authentication to ensure their safety. Password-less authentication should also be used where feasible and available.

Rewterz Threat Alert – Phishing Campaign Delivers Quasar RAT Payloads via Fake Resumes



Analysis Summary

A new phishing campaign uses fake resume attachments designed to deliver Quasar Remote Administration Tool (RAT) malicious payloads onto the Windows computers of unsuspecting targets.

Phishing is used by crooks to trick potential victims using social engineering techniques into handing over sensitive information via fraudulent websites they control or to deliver malicious content via e-mails appearing to be sent by someone they know or by a legitimate organization.

While using fake resumes and various other types of documents is a very common trick abused by cybercriminals operating malspam campaigns, the one targeting Windows users with the Quasar Remote Administration Tool (RAT).

Quasar RAT is a well-known open-source RAT developed using the C# programming language and known to have been used by a wide range of hacking groups including APT33, APT10, Dropping Elephant, Stone Panda, and The Gorgon Group.

Phishing email sample

Delivery and infection process

The malspam campaign detected by Cofense distributes the Quasar RAT payload with the help of a password protected fake resume Microsoft Word document and it also “employs counter-detection measures to reach the end user.” After the potential victims enter the ‘123’ password also included in the phishing message, the fake resume document will ask for macros to be enabled so it can start the infection process as most similar attacks do.

The 'Enable macros' request


  • Credential theft
  • Exposure of sensitive information


  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Nemty Ransomware May Spread via Compromised RDP Connections



Analysis Summary

A new ransomware has been spotted over the weekend, carrying references to the Russian president and antivirus software. The researchers call it Nemty.

This is the first version of Nemty ransomware, named so after the extension it adds to the files following the encryption process.

Like any proper file-encrypting malware, Nemty will delete the shadow copies for the files it processes, taking away from the victim the possibility to recover versions of the data as created by the Windows operating system.

Victims will see a ransom note informing that the attackers hold the decryption key and that data is recoverable for a price.


The payment portal is hosted on the Tor network for anonymity, and users have to upload their configuration file.

Based on this, they are provided with the link to another website that comes with a chat function and more information on the demands.



File encryption


  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link//attachments sent by unknown senders.

Copyright © Rewterz. All rights reserved.