Rewterz Threat Alert – FIN8 Returns With Improved BADHATCH Toolkit
March 16, 2021Rewterz Threat Advisory – CVE-2021-27436 – ICS: Advantech WebAccess/SCADA cross-site scripting
March 17, 2021Rewterz Threat Alert – FIN8 Returns With Improved BADHATCH Toolkit
March 16, 2021Rewterz Threat Advisory – CVE-2021-27436 – ICS: Advantech WebAccess/SCADA cross-site scripting
March 17, 2021Severity
High
Analysis Summary
Five known vulnerabilities are being actively exploited to serve a Mirai variant. These attacks are actively going on and upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.
The exploitation of vulnerabilities being exploited include:
- VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
- CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
- CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
- CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
- CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
- CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability
Payloads of Exploits
1. VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
2. CVE-2020-25506: D-Link DNS-320 Firewall Remote Command Execution Vulnerability
3. CVE-2021-27561 and CVE-2021-27562: Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability
4. CVE-2021-22502: Micro Focus Operation Bridge Reporter (OBR) Remote Code Execution
5. CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution Vulnerability
Impact
- Remote code execution
- Command Injection
- Pre-Auth ‘root’ Level Remote Code Execution
Affected Vendors
- Sonicwall
- D-Link
- Netgear
- Netis
- Yealink
Remediation
- It is strongly advised to customers to apply patches whenever possible.
- Filtering of malicious URL and malicious domains.
- Search for IOCs in your environment.