Rewterz Threat Advisory – CVE-2019-12713 – Cisco Prime Infrastructure Cross-Site Scripting Vulnerability
January 14, 2020Rewterz Threat Alert – APT27 ZxShell RootKit – IOC’s
January 14, 2020Rewterz Threat Advisory – CVE-2019-12713 – Cisco Prime Infrastructure Cross-Site Scripting Vulnerability
January 14, 2020Rewterz Threat Alert – APT27 ZxShell RootKit – IOC’s
January 14, 2020Severity
High
Analysis Summary
A LNK file that targets the Maldives ministry of foreign affairs. The LNK is set to download and execute an HTA file. This is an active campaign going on against Maldives govt with it’s motive still unknown.
Impact
Exposure of sensitive information
Indicators of Compromise
MD5
- dc7b7eb1a9312890bfd8371e51508d00
- 00648c4a077de9608e387164af4b392d
SHA-256
- d928aae8fb1b678be629a3f1bf1ae1accd54a21b25a6f4d8ecf4641cbd4eacf2
- 6616bd8b0919ad2460d5ebd78e7769e03bd21d7c3fdc1c08f537e92c01015721
SHA1
- 08eb7aadd30b782ff6cbf60df23885908f7c4074
- 6d2d29ad5113752eb55921079f5cf54a10d5f9ac
URL
- http[:]//ncit-gov[.]sytes[.]net/image_error[.]hta
- http[:]//foreign-mv[.]sytes[.]net/inauguration_[.]hta
- http[:]//foreign-mv[.]sytes[.]net/command_centre_[.]hta
- http[:]//foreign-mv[.]sytes[.]net/Command_Centre_[.]hta
- http[:]//domain-lk[.]sytes[.]net/pdf_password[.]hta
- http[:]//domain-lk[.]sytes[.]net/pdf_error[.]hta
- http[:]//domain-lk[.]sytes[.]net/password[.]hta
- http[:]//domain-lk[.]sytes[.]net/mndf[.]hta
- http[:]//domain-lk[.]sytes[.]net/leaked_tender_documents[.]hta
- http[:]//domain-lk[.]sytes[.]net/inauguration[.]hta
- http[:]//domain-lk[.]sytes[.]net/command_centre[.]hta
- http[:]//domain-lk[.]sytes[.]net/Pdf_Error[.]hta
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.