Rewterz

Rewterz Threat Alert – Covid-19 Themed Malicious URLs

September 1, 2020
Rewterz

Rewterz Threat Alert – Lokibot IOCs

September 1, 2020

Rewterz Threat Alert – Active QNAP NAS Exploitation

Severity

High

Analysis Summary

Researchers reports on an in the wild exploitation of a vulnerability in QNAP NAS devices. This vulnerability was not publicly reported on prior to these findings. The vulnerability exploited exists in the CGI program used when users log out of the QNAP NAS device. By exploiting the vulnerability, attackers are able to gain unauthenticated remote code execution capabilities. In this campaign, the remote code execution capabilities are used to download a payload using wget. Based on current observations, the researchers have been unable to identify the ultimate goal of the attackers as further malware is not installed at this time. Two additional files were discovered on the server hosting the payload currently being downloaded. Specifically, they are two text files, one containing 2 lines of seemingly random text and the other being a bash reverse shell script. The server was found to be running SSH, Metasploit, Apache httpd, and other services.

Impact

Remote code execution

Indicators of Compromise

IP

  • 165[.]227[.]39[.]105
  • 219[.]85[.]109[.]140
  • 103[.]209[.]253[.]252

URL

  • http[:]//165[.]227[.]39[.]105[:]8096/[.]sl
  • http[:]//165[.]227[.]39[.]105[:]8096/rv
  • http[:]//165[.]227[.]39[.]105[:]8096/aaa

Remediation

  • Block all threat indicators at your respective controls.
  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IoCs in your environment.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.