Rewterz Threat Alert – QNodeService RAT Distributed in COVID19 Campaign, Spoofs Reuters News Network
October 8, 2020Rewterz Threat Alert – The FONIX Ransomware-as-a-Service
October 8, 2020Rewterz Threat Alert – QNodeService RAT Distributed in COVID19 Campaign, Spoofs Reuters News Network
October 8, 2020Rewterz Threat Alert – The FONIX Ransomware-as-a-Service
October 8, 2020Severity
High
Analysis Summary
The ZeroLogon vulnerability would allow a malicious agent with a foothold on your internal network to essentially become Domain Admin with just one click. This scenario is possible when communication with the Domain Controller can be performed from the attacker’s viewpoint. These attacks are leveraging a WordPress FileManager Plugin vulnerability already exploited in the wild.
CVE-2020-25213: The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. CVE-2020-25213 was exploited in the wild in August and September 2020.
Threat actors have been abusing this vulnerability in File-Manager plugin that allows the execution of arbitrary code on the server-side (RCE vulnerability). Figure 1 below emphasizes the problem here explained.
By September 10, over 2.6 million sites had been attacked. Meanwhile, the CVE-2020-25213 that affects the WP-Manager WordPress plugin still continues to be exploited by criminals.
So far, this flaw has been exploited in multiple attacks, like phishing campaigns, to implant backdoors to steal data, credit card information, or sensitive information (PII), to add cryptominers (java scripts) to the source-code inside specific pages (e.g., index.php); and to escalate on the internal network and abusing of Zerologon vulnerability to attack Domain Controllers.
Criminals have taken advantage of web vulnerabilities to obtain a privileged shell in internal networks. Network reconnaissance has been carried out via lateral movement, Domain Controllers have been identified and explored with Zerologon. This vulnerability is critical and is based on an encryption flaw, and allows changing the account machine password to empty.
Finally, the Domain Controller NTML hashes can then be exfiltrated remotely. Note that the machine password must be restored quickly, otherwise the DCs will not synchronize and this can break the network.
Impact
- Privilege Escalation
- Privilege Abuse
- Unauthorized Access
- Remote Code Execution
- Website Takeover
Indicators of Compromise
MD5
- 4dfcd5e9710ab35fbcaf40ed74f18295
- 54f4a1d6e8b51db93e5462ec92114915
- 19ff12325546bdb01adfcf96e7e747c3
- cb569dcc22fe9faca96a510a4757bc98
- d2d9898666f79d1a372aaf3abf3a3782
- 18ef846b444726a747a4b107acb88752
- 4bc217374731ae8289936ba2e422af76
- f6828e769399ce2ad58749365aff555f
- 664fcbe0e3c559f73c884000b5dddcfe
- 3090aeb04df6fb5d87a5bc1e11651f35
- 99ab1e9b6cb622ced0ffea7940f50ece
SHA-256
- 7bcf833ab795b3a2cbd5df2e8caf5d664534b4623d0864dda73222dc47c56ec7
- 7220a864eaeadd0dafe1daee319829095095538c656c19d53b1a348075962f6e
- 50af4367eadd55236d085d8221815ea06992d6c0e1ab3ed6848dc3bdaca6f7dd
- eec19dd96f08c4b6c61e079cbff058bb79d928a3c3dd01b397222a3f5bfe2dd9
- 24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439
- c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b
- b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d
- c9098af0e2438016d0e057aa6719ccc809377805c83bbb79546c9bcb2b83f102
- b91d6f16285e36acf40afec999f4ff6e312d38d203d785796e8aab087a9005f3
- 48ab6e3da0231898251e49a24d14f8d497d110e6b683718bd0ba2a03c56407ee
- f8b29550baca75af62d506d7d96fa0f58aa3d0bf2ddcf3d2950b6f13865696a1
SHA1
- a455be27482d71a7f5a8e5157f950fb3f0adc4f7
- 817a711818f0ee2f329fc24acd4f3ab3e63e71a5
- 6bdac6ffbbd4a1192248085c78638b35f572d14b
- 136f04f0e41a281045cbbe01e570b787865f9bdf
- 9577be0570e464af72f385479bae9ee9c2a082d4
- 74b28a8d2656c56af7fe95e00522671530d2dc3e
- 69d725fd4059e69560aaebc3f720706aa154061c
- ab412c2c60b595597efe4b3e17210538485d01bb
- 5501079afd6bcc2c669c92dae9f40e9b121aadca
- 1f5d479a7a9f8821f072d0159305b4610d6911a5
- b2d8349e98aa7a848c7ba3abc2d50999115b7481
Source IP
- 49[.]51[.]161[.]141
- 45[.]141[.]87[.]7
- 194[.]5[.]250[.]122
- 83[.]97[.]20[.]34
Remediation
- Update to WordPress FileManager Plugin 6.9.
- Block the Zerologon-associated IoCs at their respective controls.
- Find which devices are making vulnerable connections by monitoring event logs.
- Install the latest software update from Microsoft as soon as possible.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. This release:
- Enforces secure RPC usage for machine accounts on Windows based devices.
- Enforces secure RPC usage for trust accounts and for all Windows and non-Windows DCs.
- Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the enforcement phase starts, allowed devices will not be refused connection.
- FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode).
- Includes new events when accounts are denied or would be denied in the DC enforcement mode (and will continue in the enforcement phase).