Rewterz Threat Advisory – Apache ActiveMQ message.jsp cross-site scripting
February 9, 2021Rewterz Threat Advisory – Apache Ambari directory traversal
February 9, 2021Rewterz Threat Advisory – Apache ActiveMQ message.jsp cross-site scripting
February 9, 2021Rewterz Threat Advisory – Apache Ambari directory traversal
February 9, 2021Severity
High
Analysis Summary
Threat actor Confucius’ has been active most recently and is targeting Pakistan with malicious files. Confucius’ APT group campaigns were reportedly active as early as 2013, abusing Yahoo! And Quora forums as part of their command-and-control (C&C) communications. Confucius’ operations include deploying bespoke backdoors and stealing files from their victim’s systems with tailored file stealers. The stolen files are then exfiltrated by abusing a cloud service provider. Some of these file stealers specifically target files from USB devices, probably to overcome air-gapped environments.
Impact
Information theft and espionage
Indicators of Compromise
Filename
- update
MD5
- feb6a0dc922843c710bd18edddb67980
SHA-256
- 8ecf1c276e10e3f3e9f7bc9e728fde9abea23348a2af6ce70269008d632a412d
SHA1
- f317a837f52c4488e3de6eb665f13ae582474b47
URL
- http[:]//mlservices[.]online/sync/update
- http[:]//mlservices[.]online/content/upgrade
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.