Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 19, 2023Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]March 19, 2023Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]March 17, 2023Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 19, 2023Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]March 19, 2023Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]March 17, 2023Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Network Routers Hit with Glupteba Campaign
September 5, 2019Rewterz Threat Advisory – Cisco Webex Teams Logging Feature Command Execution Vulnerability
September 5, 2019
Severity
Medium
Analysis Summary
A newly discovered social engineering toolkit has distributed a wide range of phony web page overlays, generating at least 100,000 page views in a few weeks.
Domen uses a cleverly written client-side script (“template.js”) to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website’s actual legitimate content. Most of the compromised websites run on WordPress.
The single JavaScript file controls a variety of templates depending on the browser, operating system, and locale. For instance, the same fake error message is translated into 30 different languages. Some sample templates can be seen below.
Every time a user visits a compromised site that has been injected with the Domen toolkit, communication takes place with a remote server hosted at asasasqwqq[.]xyz
The Domen toolkit offers the same fingerprinting (browser, language) and choice of templates using client-side (template.js) script which includes a range of browsers, desktops, and mobiles in about 30 different languages.
Impact
Unauthorized system access
Indicators of Compromise
URLs
- hxxp[:]//xyxyxyxyxy[.]xyz/wwwwqwe/11223344[.]exe
- hxxp[:]//mnmnmnmnmnmn[.]club/qweeewwqe/112233[.]exe
- drumbaseuk[.]com
- chrom-update[.]online
- xyxyxyxyxy[.]xyz
- http[:]//sygicstyle[.]xyz/
- http[:]//asasasqwqq[.]xyz/
- mnmnmnmnmnmn[.]club
Malware Hash (MD5/SHA1/SH256)
- 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0
- 632919692a6597419ba2a32b821e82cc
- b832dc81727832893d286decf50571cc740e8aead34badfdf1b05183d2127957
- 852c0299c8b17235551b5ea2c82e648b
- 58585d7b8d0563611664dccf79564ec1028af6abb8867526acaca714e1f8757d
- 7b129aeb6634ce822ed865ff6a299411
Remediation
- Block the threat indicators at their respective controls.
- Always download updates from legitimate websites.
- Do not follow random links/URLs even if they begin with https.
- Aware employees about social engineering campaigns that utilize the ‘fear’ of victims, threatening to cause loss of data.