Rewterz Threat Alert – PgMiner Botnet Targets PostgreSQL Database on Linux Server
December 14, 2020Rewterz Threat Alert – New Malware Abusing Google and Facebook Services
December 14, 2020Rewterz Threat Alert – PgMiner Botnet Targets PostgreSQL Database on Linux Server
December 14, 2020Rewterz Threat Alert – New Malware Abusing Google and Facebook Services
December 14, 2020Severity
High
Analysis Summary
A widespread campaign has been uncovered, tracked as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. FireEye is tracking this as a global intrusion campaign.
The attack began as a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware called SUNBURST. The attacker’s post compromise activity leverages multiple techniques to evade detection. The campaign is widespread, affecting public and private organizations around the world. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
Impact
- Unauthorized Access
- Data Theft
- Detection Evasion
- Global Intrusion
Indicators of Compromise
Domain Name
- avsvmcloud[.]com
- zupertech[.]com
- websitetheme[.]com
- thedoccloud[.]com
- panhardware[.]com
- incomeupdate[.]com
- highdatabase[.]com
- freescanonline[.]com
- deftsecurity[.]com
- databasegalore[.]com
Hostname
- mhdosoksaccf9sni9icp[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
- k5kcubuassl3alrf7gm3[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
- gq1h856599gqh538acqn[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
- 7sbvaemscs0mc925tb99[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
- 6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
- appsync-api[.]us-west-2[.]avsvmcloud[.]com
MD5
- 846e27a652a5e1bfbd0ddd38a16dc865
- b91ce2fa41029f6955bff20079468448
- 2c4a910a1299cdae2a4e55988a2f102e
- 56ceb6d0011d87b6e4d7023d7ef85676
- 2c4a910a1299cdae2a4e55988a2f102e
- 02af7cec58b9a5da1c542b5a32151ba1
SHA-256
- ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
- 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
SHA1
- d130bd75645c2433f88ac03e73395fba172ef676
- 76640508b1e7759e548771a5359eaed353bf1eec
- 2f1a5a7411d015d01aaee4535835400191645023
- 75af292f34789a1c782ea36c7127bf6106f595e8
- 2f1a5a7411d015d01aaee4535835400191645023
- 1b476f58ca366b54f34d714ffce3fd73cc30db1a
Source IP
- 51[.]89[.]125[.]18
- 5[.]252[.]177[.]25
- 5[.]252[.]177[.]21
- 204[.]188[.]205[.]176
- 139[.]99[.]115[.]204
Remediation
- Block the threat indicators at their respective controls.
- Check below link for more countermeasures.
- https://github.com/fireeye/sunburst_countermeasures/tree/main