• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Starbleed Attacks on Data Centers, IoT Devices, Industrial Equipment using FPGA Chips
April 21, 2020
Rewterz Threat Advisory – Multiple Vulnerabilities in IBM Data Risk Manager
April 21, 2020

Rewterz Threat Alert – APT41 (PIGFISH) Global Campaign Continues

April 21, 2020

Severity

High

Description

The Chinese espionage group PIGFISH (a.k.a. APT41) has launched a global intrusion campaign starting from January 20th. FireEye reported that these intrusions seems to focus on the exploitation of the CVE-2019-19781 (Citrix ADC), CVE-2020-10189 (Zoho ManageEngine zero-day), and CVE-2019-1653 and CVE-2019-1652 (Cisco RV320/RV325 routers) vulnerabilities to achieve remote code execution for initial access.

Analysis Summary

Chinese actor APT41 is carrying out one of the broadest campaigns, currently going on and having started in January. APT41 is attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 organizations in 20 countries. 

Targeted Countries: The campaign targeted victims in Qatar, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and USA.

Targeted Industries: The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility.

Vulnerabilities Exploited: CVE-2019-19781 in Citrix NetScaler/ADC, CVE-2019-1652 and CVE-2019-1653 in Cisco routers, and CVE-2020-10189 in Zoho ManageEngine Zero-Day Vulnerability,CVE-2019-3396 in Widget Connector macro in Atlassian Confluence Server. 

Impact

  • Unauthorized Access
  • Malicious Code Execution
  • Privilege Escalation
  • Defense Evasion
  • Data Exfiltration
  • System Compromise

Indicators of Compromise

Domain Name

  • exchange[.]dumb1[.]com

MD5

  • 7966c2c546b71e800397a67f942858d0
  • 5909983db4d9023e4098e56361c96a6f
  • 3e856162c36b532925c8226b4ed3481c

SHA-256

  • de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc
  • f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c
  • d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309

Source IP

  • 91[.]208[.]184[.]78
  • 74[.]82[.]201[.]8
  • 66[.]42[.]98[.]220

Remediation

  • Block the threat indicators at their respective controls.
  • Upgrade all of your vulnerable appliances to a fixed build of the appliance at your earliest.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.