Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices
March 21, 2020Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs
March 22, 2020Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices
March 21, 2020Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs
March 22, 2020Severity
High
Analysis Summary
Banking technology FinTech Firm Finastra was hit by ransomware on Friday (March 20), and was forced to close key systems and send workers home, according to media reports. The company is based in London and has offices in 42 countries around the world, with 10,000 employees on its workforce. Last year, the firm reported $2 billion in revenue. Nearly all 50 of the top banks in the world Finastra’s customers.
Bad Packets (Threat intel firm) report of internet-wide scans 16September2019 had discovered pulse secure VPN servers unpatched prone to CVE 2019-11510 RCE leaving its systems exposed to attacks. According to Bad Packets report of January2020, Finastra also ran outdated Citrix servers prone to CVE-2019-19781 since exploits for both vulnerabilities are publicly available makes it low hanging fruit for attackers.
In a statement posted on its website Finastra mentioned it was hit by ransomware attack “At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted.”
Pulse secure VPN vulnerability CVE2019-11510 usually used by REvil/Sodinokibi group in ransomware ops. The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers.The REvil group also rents its ransomware strain to other criminal groups. Average ransom demand by REvil group is $470,000 per company some notable capabilities of the group are mentioned below.
· Exploiting vulnerabilities to elevate privileges.
· Terminate blacklisted processes prior to encryption to eliminate resource conflicts.
· Encrypt non-whitelisted files and folders on local storage devices and network shares.
· Wipe the contents of blacklisted folders.
· Can operate without connection C&C Servers.
CVE-2019-11510
A Security vulnerability in Pulse Secure SSL VPN which allows Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.
CVE-2019-19781
A directory traversal vulnerability in the Citrix NetScaler Application Discovery Controller and Citrix Gateway which would allow a remote, unauthenticated user to write a file to a location on disk.
Alert for both vulnerabilities have been issued earlier for Pulse Secure VPN please refer to Advisory# 4898
Impact
File encryption
Indicators of Compromise
SHA-256
- 64F3D2DB7A782FEF79F46763D4EE2F83DE2D656BA5813E3B3D873C17DAE3CA2E
- A6E5F904CE74936407A4A7E4A3AD707432958FBE02A672F8809960E1AD219F5F
- 0FA207940EA53E2B54A2B769D8AB033A6B2C5E08C78BF4D7DADE79849960B54D
- 471947A9BA64F71E81F529E471435AE48DB4AFB25FFE1CECB0EFD847027CA1BC
- 86F0A102ED4A4F82F843484CC045DF5BEA53118D25496086A68A7F791A3AB27B
- 45DAF535C264A70DD04B7A51D112D2A4D779C5F0E3E8DCDE80DE72B6C0BC27DD
- DFFDED6BD5B6A13E6625B48336EBB921DD2F980CF29BED0ABFC1ED117DD0C080
- 851A9E35CEBA611334C5D648912ECBFC2860314C3CFE9E61C09416F532B8EC84
- 6EE31044D9623CEB840C2DC1F1014889453C24039AB7FC3C037DBE1E98028DDB
- C36581FF6A62C78B007739BDF51724BC1A0F7628F339122AE5ACA2D146017F7F
- CE3B28C084C9CE34483C45A18F56EBEA6F3942113535B612881742EF91DC7F09
- 8BF7A344480C29B572FCEAD838C863093A5C88BA21D51085B6FC6EC3D8E8FBAC
- 0BDFCBB90CBF47AF585C0C34565398F372F35F23CFBB095ECFA54B7D40818B82
- 94AEBCB7C2B2BCF51A848F0B24A6B14F3190BF95E413D16464E8839CCE04064A
- F2C6056ED8643D3A134F87468B54F080C3074C449CE46D09AA40B8DF03B6FBDF
- 945C313C849BEA793152F9D69FF5F97609586886439074D355ECDDDD95212FB8
- 4748E9729F2E0B1BB151950CDAA75D51AD74612A1C12FF124A492A9A67C2F49B
- 4871BEA79E651791FB79EF0BC46F61E728C41D27E7F5B8877D0958A8672F26EA
- B77D16E84820F35080A9CE126AC011AEE73D3F0BD1A55D459CF86659BA1CBC4B
Remediation
Block the threat indicators at their respective controls.