Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
April 21, 2020Rewterz Threat Advisory – Multiple Vulnerabilities in IBM Data Risk Manager
April 21, 2020
Severity
High
Description
The Chinese espionage group PIGFISH (a.k.a. APT41) has launched a global intrusion campaign starting from January 20th. FireEye reported that these intrusions seems to focus on the exploitation of the CVE-2019-19781 (Citrix ADC), CVE-2020-10189 (Zoho ManageEngine zero-day), and CVE-2019-1653 and CVE-2019-1652 (Cisco RV320/RV325 routers) vulnerabilities to achieve remote code execution for initial access.
Analysis Summary
Chinese actor APT41 is carrying out one of the broadest campaigns, currently going on and having started in January. APT41 is attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 organizations in 20 countries.
Targeted Countries: The campaign targeted victims in Qatar, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and USA.
Targeted Industries: The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.
Vulnerabilities Exploited: CVE-2019-19781 in Citrix NetScaler/ADC, CVE-2019-1652 and CVE-2019-1653 in Cisco routers, and CVE-2020-10189 in Zoho ManageEngine Zero-Day Vulnerability,CVE-2019-3396 in Widget Connector macro in Atlassian Confluence Server.
Impact
- Unauthorized Access
- Malicious Code Execution
- Privilege Escalation
- Defense Evasion
- Data Exfiltration
- System Compromise
Indicators of Compromise
Domain Name
- exchange[.]dumb1[.]com
MD5
- 7966c2c546b71e800397a67f942858d0
- 5909983db4d9023e4098e56361c96a6f
- 3e856162c36b532925c8226b4ed3481c
SHA-256
- de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc
- f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c
- d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309
Source IP
- 91[.]208[.]184[.]78
- 74[.]82[.]201[.]8
- 66[.]42[.]98[.]220
Remediation
- Block the threat indicators at their respective controls.
- Upgrade all of your vulnerable appliances to a fixed build of the appliance at your earliest.