April 25, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
April 21, 2020Rewterz Threat Advisory – Multiple Vulnerabilities in IBM Data Risk Manager
April 21, 2020Rewterz Threat Alert – Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
April 21, 2020Rewterz Threat Advisory – Multiple Vulnerabilities in IBM Data Risk Manager
April 21, 2020
Severity
High
Description
The Chinese espionage group PIGFISH (a.k.a. APT41) has launched a global intrusion campaign starting from January 20th. FireEye reported that these intrusions seems to focus on the exploitation of the CVE-2019-19781 (Citrix ADC), CVE-2020-10189 (Zoho ManageEngine zero-day), and CVE-2019-1653 and CVE-2019-1652 (Cisco RV320/RV325 routers) vulnerabilities to achieve remote code execution for initial access.
Analysis Summary
Chinese actor APT41 is carrying out one of the broadest campaigns, currently going on and having started in January. APT41 is attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 organizations in 20 countries.
Targeted Countries: The campaign targeted victims in Qatar, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and USA.
Targeted Industries: The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.
Vulnerabilities Exploited: CVE-2019-19781 in Citrix NetScaler/ADC, CVE-2019-1652 and CVE-2019-1653 in Cisco routers, and CVE-2020-10189 in Zoho ManageEngine Zero-Day Vulnerability,CVE-2019-3396 in Widget Connector macro in Atlassian Confluence Server.
Impact
- Unauthorized Access
- Malicious Code Execution
- Privilege Escalation
- Defense Evasion
- Data Exfiltration
- System Compromise
Indicators of Compromise
Domain Name
- exchange[.]dumb1[.]com
MD5
- 7966c2c546b71e800397a67f942858d0
- 5909983db4d9023e4098e56361c96a6f
- 3e856162c36b532925c8226b4ed3481c
SHA-256
- de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc
- f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c
- d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309
Source IP
- 91[.]208[.]184[.]78
- 74[.]82[.]201[.]8
- 66[.]42[.]98[.]220
Remediation
- Block the threat indicators at their respective controls.
- Upgrade all of your vulnerable appliances to a fixed build of the appliance at your earliest.