Rewterz Threat Advisory – CVE-2019-12636 – Cisco Small Business Smart and Managed Switches Cross-Site Request Forgery Vulnerability
January 28, 2020Rewterz Threat Alert – Ryuk Ransomware – IOC’s
January 29, 2020Rewterz Threat Advisory – CVE-2019-12636 – Cisco Small Business Smart and Managed Switches Cross-Site Request Forgery Vulnerability
January 28, 2020Rewterz Threat Alert – Ryuk Ransomware – IOC’s
January 29, 2020Severity
Medium
Analysis Summary
A new threat actor, tracked as “Vivin,” is found conducting a long-term cryptomining campaign. The group is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.This actor used pirated software as an initial infection vector, masquerading their malware as popular software. Once the initial infection was completed “Vivin” quickly moved to common Windows tools. This actor has been successful pivoting their infrastructure and wallets as needed to maintain effectiveness. Vivin set their miners to utilize up to 80 percent of a system’s CPU resources.
Impact
- Cryptocurrency mining
- Slow system performance
Indicators of Compromise
Hostname
- spoolsv[.]linkpc[.]net
- mstsc[.]publicvm[.]com
- mmc[.]publicvm[.]com
- lsass[.]publicvm[.]com
- csrss[.]publicvm[.]com
- csrss[.]linkpc[.]net
- www[.]m9c[.]net
- ddl3[.]data[.]hu
MD5
- b3e7aa693426736a592f3c9285f4d43f
- 7461a1b47ce7d208ba092b1173877770
- aeb6550fe0b4d7e84621bca174db8c75
- afe892d48afb47428978892bf4fe65b7
- fd820480df12caf43951f5f89f8deefc
- 99f9f9bab13d4ebf030d6420fd776611
- 2db6239d671016cb532975b2bb628e79
- 3ae16e13c63ed3e7cd93cb7d2794cf98
- 1f3528f48ae248a7f6bbe0b7ca194493
- 768987f4b8dd8983b07824407e347797
- 7a125adabc06ecc7c0d47a80d5efc16f
- 1ba6b23a139f0f46c31f74b174f48be2
- 52cd78b005e51ccce5ee5964ee326580
- f0d6a0f3533541dec8e747c4f047e7f3
- f531d573e5c6d5d0d07f949cb2b5b3b4
- 5f7a3691420337a2edb87fb663cafd34
SHA-256
- 31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f
- 51f9a6d7574361bcf49962e2471a1d096db6c0d713ae07485b2791e74134513c
- 9d7f2684a4efdb4738527d37b7995a40d819909d08e7443a6583231a1454b50b
- 47928d09921466ddf1597e1ef7e8ac12397df7e616cd0c1710f4fa8a6384b439
- 705646f923a2412757bae71b60de0fef31284756768a59ef2057eaee7dfafe9f
- f476867d8152fcf0cb989b0e2c935db87c37162af33350874d671f99154752cf
- 8b7c197efab6f6c40b51df125d00e3de211ebb5123ee876f1992f03401559cda
- ea647990182d7d3ac82ff9b6c99ed70a10473da16bc55eadb76131f78ed65fb9
- 5dc7239df2e9fb497335cc846e09dfdd024e7345c44a96693022bedd240954de
- a115451603cf9687c8c46945432033a942b4cd46a4209868e226e25a1a2e0ee1
- 5331924e1e5a634e55e7a3daaff3d5204eff50c4dc166d4d9d516510fb91fa4e
- 4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2
- 524fbc5fff1e91adcd4c72ce83b7f33fa424acefafb198f1701484cedc17c590
- 79557c6d190d7daf34f10c7929facf56838ab27a5925f6f5197e1c0cbd660de3
- da6908445649d30aff3f6ac9d9ec11c5f52c888c867ede766993c0fe731295fe
- 8aa5d523158838bf58a80744f031192314215a3d4c32c4f8644f93370828825b
Source IP
- 116[.]203[.]234[.]128
- 116[.]203[.]29[.]111
URL
- http[:]//csrss[.]publicvm[.]com[:]8094/Vre
- http[:]//csrss[.]publicvm[.]com/Vre
- http[:]//csrss[.]linkpc[.]net/Vre
- http[:]//www[.]m9c[.]net[:]80/uploads/15621655811[.]jpg
- http[:]//www[.]m9c[.]net/uploads/15723243711[.]png
- http[:]//www[.]m9c[.]net/uploads/15572403801[.]jpg
- http[:]//ddl3[.]data[.]hu/get/210358/11615096/Loader[.]jpg
- http[:]//www[.]m9c[.]net/uploads/15743593161[.]jpg
- http[:]//www[.]m9c[.]net/uploads/15723168051[.]png
Remediation
- Block the threat indicators at their respective controls.
- Prevent the use of pirated software on endpoints.
- Enable systems resource monitoring for detecting excessive or abnormal resource usage on endpoints.