March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2021-42717 – F5 NGINX ModSecurity WAF
December 7, 2021Rewterz Threat Alert – RedLine Stealer – Active IOCs
December 7, 2021Rewterz Threat Advisory – CVE-2021-42717 – F5 NGINX ModSecurity WAF
December 7, 2021Rewterz Threat Alert – RedLine Stealer – Active IOCs
December 7, 2021
Severity
High
Analysis Summary
Threat actor TA505 has been seen targeting financial sectors with the help of the backdoor MirrorBlast. The malware is delivered via phishing email which contains a malicious link and a weaponized excel document. The malware seem to have very low detection due to its lightweight macro embedded in its Excel files which makes it even harder to detect the malware. The current campaign has made early inroads from September and started to push their targets from South American region to different continents. Recent activity suggests that the campaign has shifted their targets to North America and have been targeting financial sector in that region.
Impact
- Information theft
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
IP
- 45[.]142[.]213[.]139
- 195[.]123[.]246[.]14
- 45[.]129[.]137[.]237
- 78[.]128[.]112[.]139
- 145[.]239[.]85[.]6
MD5
- 8e5876fb74f584c2abeff76e3fae9a60
- 551be7024b92c5df38fb118aa9cceba3
- b802a50513e73b47fe1831724a783413
SHA-256
- e58b80e4738dc03f5aa82d3a40a6d2ace0d7c7cfd651f1dd10df76d43d8c0eb3
- d98bdf3508763fe0df177ef696f5bf8de7ff7c7dc68bb04a14a95ec28528c3f9
- 5a65bee42bd45b04f64ea02bcf30d266a500de7c8ad4851221a0a24a2de88e11
SHA-1
- b4a9abcaaadd80f0584c79939e79f07cbdd49657
- 00b5ebe5e747a842dec9b3f14f4751452628f1fe
- 22f8704b74ce493c01e61ef31a9e177185852437
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.