Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Formbook Malware – Active IOCs
April 27, 2021Rewterz Threat Advisory – Multiple Apache Vulnerabilities
April 28, 2021
Severity
High
Analysis Summary
The FBI and the CISA are warning of continued cyberthreats stemming from Russia’s Foreign Intelligence Service, or SVR, often associated with SolarWinds supply chain attack. Several tools and techniques used by the SVR have been discovered, including the exploitation of several well-known vulnerabilities found in SolarWinds products and VPNs that allow for remote access to networks.
Attackers associated with the SVR continue to update their techniques to avoid detection. Following TTPs have been observed recently:
- Shift from planting malware in networks to hacking cloud-based applications, especially email, to steal data and other information
- The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software
- Usage of some of the same techniques leveraged in the SolarWinds supply chain attack to target others
- Password spraying activity in a ‘low and slow’ manner, attempting a small number of passwords at infrequent intervals
- Usage of large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile and The Onion Router (TOR) addresses
- Taking advantage of misconfigurations within the targeted organization’s systems and applications
- Authentication on non-administrative accounts as well as administrator’s account
- Accessing a wide variety of email accounts
- Covering up the attack by using proxy servers
- Minimal overlap between the VPSs used for different compromised accounts
Earlier, this APT exploited a zero-day vulnerability in Citrix’s Application Delivery Controller and Gateway products to attack another unnamed organization.
Impact
- Unauthorized Remote Access
- Detection Evasion
- Security Bypass
- Network Compromise
Indicators of Compromise
Domain Name
- globalnetworkissues[.]com
- seobundlekit[.]com
- thedoccloud[.]com
- virtualwebdata[.]com
- websitetheme[.]com
- deftsecurity[.]com
- digitalcollege[.]org
- freescanonline[.]com
- kubecloud[.]com
- solartrackingsystem[.]net
- sense4baby[.]fr
- globalnetworkissues[.]com
- seobundlekit[.]com
- thedoccloud[.]com
- eyetechltd[.]com
- deftsecurity[.]com
- digitalcollege[.]org
- freescanonline[.]com
- kubecloud[.]com
- solartrackingsystem[.]net
- virtualwebdata[.]com
- megatoolkit[.]com
- websitetheme[.]com
- zupertech[.]com
- incomeupdate[.]com
- highdatabase[.]com
- onetechcompany[.]com
- databasegalore[.]com
- panhardware[.]com
- mobilnweb[.]com
- infinitysoftwares[.]com
- swipeservice[.]com
- datazr[.]com
- bigtopweb[.]com
- ervsystem[.]com
- lcomputers[.]com
- olapdatabase[.]com
- gallerycenter[.]org
- nikeoutletinc[.]org
- virtualdataserver[.]com
- techiefly[.]com
- financialmarket[.]org
- aimsecurity[.]net
- srfnetwork[.]org
- reyweb[.]com
- webcodez[.]com
Source IP
- 185[.]185[.]117[.]15
- 18[.]220[.]219[.]143
- 3[.]16[.]81[.]254
- 54[.]215[.]192[.]52
- 46[.]32[.]252[.]175
- 13[.]59[.]205[.]66
- 13[.]57[.]184[.]217
- 54[.]193[.]127[.]66
- 3[.]87[.]182[.]149
- 34[.]219[.]234[.]134
- 18[.]217[.]225[.]111
- 45[.]89[.]106[.]3
- 34[.]203[.]203[.]23
- 18[.]253[.]52[.]187
- 51[.]89[.]125[.]18
- 5[.]252[.]177[.]25
- 139[.]99[.]115[.]204
- CONFIDENTIAL 4
- 144[.]217[.]174[.]58
- 5[.]252[.]177[.]21
- 204[.]188[.]205[.]176
- 172[.]97[.]71[.]162
- 107[.]152[.]35[.]77
- 162[.]241[.]124[.]32
- 51[.]195[.]70[.]74
- 45[.]150[.]4[.]10
- 45[.]10[.]21[.]121
- 198[.]12[.]75[.]112
- 162[.]223[.]31[.]184
- 192[.]3[.]31[.]210
- 135[.]181[.]10[.]254
- 158[.]69[.]243[.]52
- 66[.]172[.]27[.]175
- 93[.]119[.]106[.]69
- 23[.]92[.]211[.]15
- 199[.]241[.]143[.]102
- 185[.]225[.]69[.]69
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated to latest patched versions.
- Prioritize a vulnerability management process to patch them as soon as updates are available.
- Look for compromises within your networks and scan for IoCs.
- Enable multi-factor authentication wherever possible.