Archive for category Rewterz News

Rewterz Threat Advisory – CVE-2019-16028 – Cisco Firepower Management Center

Severity

High

Analysis Summary

The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.

Impact

Authentication Bypass

Affected Vendors

Cisco

Affected Products

Cisco FMC Software

Remediation

Please refer to vendor’s advisory for the list of affected products and patches.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth


Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware

Severity

High

Analysis Summary

The cybercrime group that launched the Satan, DBGer and Lucky ransomware and perhaps Iron ransomware recently introduced a new version or rebranding named “5ss5c”. This version of the ransomware adds EternalBlue exploit and new functionalities.

It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials)
  • Mimikatz and what appears another password dumper/stealer
  • The actual ransomware

Indicators of compromise are given below.

Impact

  • Files Encryption
  • Credential theft
  • Information theft

Indicators of Compromise

From Email

5ss5c@mail[.]ru

MD5

  • e56b28203a66d88da2c951c9b47fb2c0
  • 8accffa5e7d5b14ee8109a8f99c72661
  • 756b6353239874d64291e399584ac9e5
  • ba008ae920251f962fdc0f80c27dd975
  • dc646bdbe28b453ba190a6356959d028
  • f56025565de4f53f5771d4966c2b5555
  • dfc0966397adcd590a4fba85d16bccf6
  • 0f371453cdab407283e2723b0c99c2f5
  • 680d9c8bb70e38d3727753430c655699
  • 853358339279b590fb1c40c3dc0cdb72
  • 09d45ae26830115fd8d9cdc2aa640ca5
  • 01a9b1f9a9db526a54a64e39a605dd30
  • ca3c0851c7451fc34dc37c2c53e2f70a

SHA-256

  • 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
  • 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
  • e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
  • 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
  • ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
  • ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
  • 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7

Source IP

  • 58[.]221[.]158[.]90
  • 61[.]186[.]243[.]2

URL

  • http[:]//58[.]221[.]158[.]90[:]88/car/cpt[.]dat
  • http[:]//58[.]221[.]158[.]90[:]88/car/down[.]txt
  • http[:]//58[.]221[.]158[.]90[:]88/car/c[.]dat

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not click on URLs attached in untrusted emails.
  • Maintain a backup for all files.

Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims

Severity

High

Analysis Summary

Emotet has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks. Emotet sample leverages a “Wi-Fi spreader” module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them. This module has been running “unnoticed” for around two years. The development marks an escalation of Emotet’s capabilities, as networks in close physical proximity to the original victim are now susceptible to infection. The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords. The worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It’s not immediately clear how this list of passwords was put together.

Emotet malware cybersecurity

If the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource. Successful brute force then leads to next phase by installing malicious payloads — called “service.exe” — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService). In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Impact

  • Infection of Wi-Fi networks
  • Unauthorized Access

Indicators of Compromise

Source IP

  • 87.106.37.146
  • 45.79.223.161

Remediation

  • Block the threat indicators at their respective controls.
  • Implement very strong passwords for wireless networks.

Rewterz Threat Advisory – CVE-2020-3119 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution

Severity

High

Analysis Summary

The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol message. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. An successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device.

Impact

Privilege Escalation

Affected Vendors

Cisco

Affected Products

  • Cisco Nexus 3000 Series Switches
  • Cisco Nexus 5500 Platform Switches
  • Cisco Nexus 5600 Platform Switches
  • Cisco Nexus 6000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • Cisco Nexus 9000 Series Switches in standalone NX-OS mode

Remediation

Please refer to vendor’s advisory for the list of upgraded patches.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce


Rewterz Threat Advisory – ICS: Siemens SIMATIC CP 1543-1

Severity

High

Analysis Summary

CVE-2019-12815

An arbitrary file copy vulnerability in mod_copy of the embedded FTP server allows for remote code execution and information disclosure without authentication.

CVE-2019-18217

Incorrect handling of overly long commands in the embedded FTP server allow an attacker to cause a denial-of-service condition by entering an infinite loop.

Impact

  • Remote code execution
  • Information disclosure without authentication
  • Denial of service.

Affected Vendors

Siemens

Affected Products

SIMATIC CP 1543-1 all versions starting at 2.0 and prior to 2.2

Remediation

Update to latest Version 2.2


Rewterz Threat Advisory – ICS: Synergy Systems & Solutions HUSKY RTU

Severity

High

Analysis Summary

CVE-2019-20045

Specially crafted malicious packets could cause disconnection of active authentic connections or reboot of device.

CVE-2019-20046 

The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code.

Impact

  • Read sensitive information
  • Execute arbitrary code
  • Denial-of-service

Affected Vendors

Synergy Systems & Solutions (SSS)

Affected Products

HUSKY RTU 6049-E70
with firmware Versions 5.0 and prior

Remediation

Upgrade to firmware Version 5.1.2 or higher.


Copyright © Rewterz. All rights reserved.