Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – QBot Using Windows Defender Antivirus as Phishing Bait
October 13, 2020Rewterz Threat Advisory – ICS: MOXA NPort IAW5000A-I/O Series Multiple Vulnerabilities
October 14, 2020
Severity
High
Analysis Summary
An APT group yet undisclosed has gained access to government networks by combining VPN and Windows bugs. Attacks have targeted federal and state, local, tribal, and territorial (SLTT) government networks. Attacks against non-government networks have also been detected. The attacks combined two security flaws known as CVE-2018-13379 and CVE-2020-1472.
CVE-2018-13379 is a vulnerability in the Fortinet FortiOS Secure Socket Layer (SSL) VPN, an on-premise VPN server designed to be used as a secure gateway to access enterprise networks from remote locations. It allows attackers to upload malicious files on unpatched systems and take over Fortinet VPN servers.
CVE-2020-1472, also known as Zerologon, is a vulnerability in Netlogon, the protocol used by Windows workstations to authenticate against a Windows Server running as a domain controller. The vulnerability allows attackers to take over domain controllers, servers users to manage entire internal/enterprise networks and usually contain the passwords for all connected workstations.
Security experts say that attackers are combining these two vulnerabilities to hijack Fortinet servers and then pivot and take over internal networks using Zerologon.
Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Hackers could also swap the Fortinet bug for any other vulnerability in VPN and gateway products that have been disclosed over the past few months and which provide similar access.
This includes vulnerabilities in:
- Pulse Secure “Connect” enterprise VPNs (CVE-2019-11510)
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
- Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
- MobileIron mobile device management servers (CVE-2020-15505)
- F5 BIG-IP network balancers (CVE-2020-5902)
All the vulnerabilities listed above provide “initial access” to servers often used on the edge of enterprise and government networks. These vulnerabilities can also be easily chained with the Zerologon Windows bug for similar attacks as the Fortinet+Zerologon intrusions. ZeroLogon was also paired with WordPress Flaws last week to target domain controllers.
Impact
- Unauthorized Access
- Code Execution
- Device Takeover
- Network Compromise
Remediation
- Immediately patch all vulnerabilities reported in this advisory.
- Keep all systems and software updated to latest patched versions.