Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices

March 21, 2020

Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs

March 22, 2020

Rewterz Threat Alert – Banking technology FinTech Firm Finastra hit by ransomware

March 21, 2020

Severity

High

Analysis Summary

Banking technology FinTech Firm Finastra was hit by ransomware on Friday (March 20), and was forced to close key systems and send workers home, according to media reports. The company is based in London and has offices in 42 countries around the world, with 10,000 employees on its workforce. Last year, the firm reported $2 billion in revenue. Nearly all 50 of the top banks in the world Finastra’s customers.

Bad Packets (Threat intel firm) report of internet-wide scans 16September2019 had discovered pulse secure VPN servers unpatched prone to CVE 2019-11510 RCE leaving its systems exposed to attacks. According to Bad Packets report of January2020, Finastra also ran outdated Citrix servers prone to CVE-2019-19781 since exploits for both vulnerabilities are publicly available makes it low hanging fruit for attackers.

In a statement posted on its website Finastra mentioned it was hit by ransomware attack “At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted.”

Pulse secure VPN vulnerability CVE2019-11510 usually used by REvil/Sodinokibi group in ransomware ops. The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers.The REvil group also rents its ransomware strain to other criminal groups. Average ransom demand by REvil group is $470,000 per company some notable capabilities of the group are mentioned below.

· Exploiting vulnerabilities to elevate privileges.

· Terminate blacklisted processes prior to encryption to eliminate resource conflicts.

· Encrypt non-whitelisted files and folders on local storage devices and network shares.

· Wipe the contents of blacklisted folders.

· Can operate without connection C&C Servers.

CVE-2019-11510
A Security vulnerability in Pulse Secure SSL VPN which allows Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.

CVE-2019-19781
A directory traversal vulnerability in the Citrix NetScaler Application Discovery Controller and Citrix Gateway which would allow a remote, unauthenticated user to write a file to a location on disk.

Alert for both vulnerabilities have been issued earlier for Pulse Secure VPN please refer to Advisory# 4898

Impact

File encryption

Indicators of Compromise

SHA-256

64F3D2DB7A782FEF79F46763D4EE2F83DE2D656BA5813E3B3D873C17DAE3CA2E
A6E5F904CE74936407A4A7E4A3AD707432958FBE02A672F8809960E1AD219F5F
0FA207940EA53E2B54A2B769D8AB033A6B2C5E08C78BF4D7DADE79849960B54D
471947A9BA64F71E81F529E471435AE48DB4AFB25FFE1CECB0EFD847027CA1BC
86F0A102ED4A4F82F843484CC045DF5BEA53118D25496086A68A7F791A3AB27B
45DAF535C264A70DD04B7A51D112D2A4D779C5F0E3E8DCDE80DE72B6C0BC27DD
DFFDED6BD5B6A13E6625B48336EBB921DD2F980CF29BED0ABFC1ED117DD0C080
851A9E35CEBA611334C5D648912ECBFC2860314C3CFE9E61C09416F532B8EC84
6EE31044D9623CEB840C2DC1F1014889453C24039AB7FC3C037DBE1E98028DDB
C36581FF6A62C78B007739BDF51724BC1A0F7628F339122AE5ACA2D146017F7F
CE3B28C084C9CE34483C45A18F56EBEA6F3942113535B612881742EF91DC7F09
8BF7A344480C29B572FCEAD838C863093A5C88BA21D51085B6FC6EC3D8E8FBAC
0BDFCBB90CBF47AF585C0C34565398F372F35F23CFBB095ECFA54B7D40818B82
94AEBCB7C2B2BCF51A848F0B24A6B14F3190BF95E413D16464E8839CCE04064A
F2C6056ED8643D3A134F87468B54F080C3074C449CE46D09AA40B8DF03B6FBDF
945C313C849BEA793152F9D69FF5F97609586886439074D355ECDDDD95212FB8
4748E9729F2E0B1BB151950CDAA75D51AD74612A1C12FF124A492A9A67C2F49B
4871BEA79E651791FB79EF0BC46F61E728C41D27E7F5B8877D0958A8672F26EA
B77D16E84820F35080A9CE126AC011AEE73D3F0BD1A55D459CF86659BA1CBC4B

Remediation

Block the threat indicators at their respective controls.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us