• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – APT28 (FancyBear) Attacks on NATO and Central Asian Targets
October 27, 2020
Rewterz Threat Advisory – CVE-2020-4782 – IBM WebSphere Application Server information disclosure
October 29, 2020

Rewterz Threat Alert – KashmirBlack Botnet Targets Victims in 30 Countries

October 27, 2020

Severity

High

Analysis Summary

The KashmirBlack botnet is detected in cyber attacks, meant to mine for cryptocurrency and sends spam. This spam bot targets known WordPress plugins. The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world. Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation. It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet. It mainly targets content management systems like WordPress, Joomla!, PrestaShop, Magento, Drupal, Vbulletin, OsCommerence, OpenCart, Yeager, etc. The botnet is capable of unrestricted file upload, remote command execution, directory traversal, brute force and account takeover.

Figure-1-KashmirBlack-botnet-flow-diagram-.gif

Exploitation attempts of PHPUnit RCE vulnerability (CVE-2017-9841) to infect targets with the KashmirBlack malicious script have also been detected. The KashmirBlack botnet uses the ‘XMRig’ miner to mine Monero coins to a remote wallet on a HashVault pool.

Impact

  • Remote Command Execution
  • Account Compromise
  • Device Takeover
  • Unauthorized Resource Consumption

Indicators of Compromise

Domain Name

  • naveen[.]cmgtestsites[.]com
  • repositorybsd[.]uk[.]to
  • tiwiter[.]ignorelist[.]com

Source IP

  • 134[.]249[.]116[.]78
  • 192[.]254[.]193[.]145
  • 37[.]9[.]175[.]24
  • 5[.]189[.]190[.]167
  • 111[.]118[.]212[.]254
  • 94[.]130[.]134[.]49
  • 35[.]240[.]210[.]71

URL

  • http[:]//littlepray[.]org/css/inmemoryjq[.]css
  • http[:]//sunrisenurseryschool[.]com/css/inmemoryelf[.]css
  • http[:]//wearecmg[.]com/css/inmemoryrev[.]css
  • http[:]//wearecmg[.]com/css/inmemorycms[.]css
  • http[:]//visbau[.]si/css/inmemoryupl[.]css
  • http[:]//1academy[.]asia/css/inmemoryplp[.]css
  • http[:]//indigo-tatu[.]si/css/inmemoryplp[.]css
  • http[:]//repositorybsd[.]uk[.]to/traber[.]pl
  • http[:]//lunabar[.]sk/css/inmemorywi[.]css

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions.
  • Deactivate unused plugins and extensions on the CMS you’re using.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.