Paul Scott

Paul Scott
on December 19, 2019

Threat Report Thursday December 19th 2019

Threat Report

Happy Holidays from Perch! In this release of the usually weekly threat report we have a few threaty threats scrooging up the holidays and melting your change freezes.

Emotet has gotten into the holiday spirit and is planning a Christmas party, your invitation is on the way. Threat actors on Perchy’s naughty list are leveraging ConnectWise Control to spread ransomware. And, critical code execution gifts in industrial control systems and routers pave the way for new Echobot variants. Let’s get this holiday party started.

Skip Emotet’s Christmas party

A new Emotet campaign has been observed sending malicious emails with a Christmas themed subject to entice victims to open the attachment and join the malware party. The attached file contains an option to select something you will bring and wear at the Christmas party.

When a victim opens the maldoc attachment, the victim is prompted to “Enable Editing” in order to view the file. Once the victim enables the content, embedded macros will be executed and install the Emotet Trojan in the Windows machine. Once Emotet is launched, the infected computer will be used to send malspam, download TrickBot to steal your data, and possibly end with a ransomware stocking stuffer. Perchy suggests skipping this potluck.

ConnectWise Control leveraged for Ransomware delivery

In April 2019, attackers who breached IT supplier, Wipro, leveraged the ConnectWise Control (formerly ScreenConnect) remote desktop application as a major component of their attack.

The adversaries gained access to Wipro systems, and used ConnectWise as a propagation mechanism. Although it started with Wipro, the attackers quickly moved on to other industries.

Attackers are actively using ConnectWise Control post-compromise to deliver the newest VegaLocker ransomware variant, Zeppelin. We’ve got new details from researchers to share on the Zeppelin killchain.

The threat actor first tries to exfiltrate information from Windows database servers by stealing the backup information, and only then propagating the ransomware across other infected machines.

For more details and observables check out the full report.

Global power plants at risk from critical remote code execution

Siemens SPPA-T3000 Application Server and MS3000 Migration Server, a distributed control system used for orchestrating and supervising electrical generation at major power plants are affected with 17 security flaws that could allow attackers to execute arbitrary code on the server. According to Siemens advisory, exploitation of the vulnerabilities could allow attackers to run arbitrary code on an application server to take control of operations and disrupt them.

Siemens noted that the exploitation of any of the vulnerabilities requires access to either Siemens’ Application or Automation Highway. In addition, none of the bugs have been seen being exploited at the time of this writing.

To address the vulnerabilities, power plants are recommended to restrict access to the Application Highway using the SPPA-T3000 Firewall and configure network access to devices with appropriate mechanisms. So, if you’re not sure what to get your network admin for the holidays, maybe it’s a change control form.

TP-Link patched a 0-day vulnerability affecting some of its Archer routers that could allow attackers to void admin passwords and take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN).

To exploit the vulnerability, attackers need to send an HTTP request containing a character string longer than the allowed number of bytes to void the router’s password and replaced with an empty value. Successful exploitation of the security flaw can allow attackers to get admin privileges on the router. In addition to getting admin privileges, the legitimate user of the router can also be locked out and would no longer be able to login through the user interface since the page will no longer accept any passwords.

If the router owner tried to set a new password, attackers could again void it with another LAN, WAN, or CGI request leaving the USB connections to the built-in FTP server as the only way to access it. The vulnerability is considered critical since it can grant unauthorized third-party access to the router with admin privileges without proper authentication taking place.

Users are advised to download security patches in TP-Link Archer C5, V4, Archer MR200V4, and Archer MR400V3 routers to address the vulnerability before it’s included in the next Mirai variant.

Mirai variant ECHOBOT resurfaces with 77 attacks

Security researcher, Carlos Brendel, found a new variant of the Echobot botnet on December 12, 2019. This variant contains a total of 77 exploits that target IoT devices such as routers, IP cameras, VoIP phones, and others.

It also supports multiple architectures such as ARM/4/5/6/7, x86, MIPS, PPC, and SuperH. It uses 145[.]249[.]106[.]241 as its C2 server. The list of exploits used in this variant can be found below including the date of when the exploits were published.

3Com OfficeConnect - Code Execution Date: 2009-10-19

ACTi ASOC 2200 Web Configurator 2.6 - Remote Command Execution Date: 2011-03-17

ADM 3.1.2RHG1 - Remote Code Execution Date: 2018-07-01

ASMAX AR 804 gu Web Management Console - Arbitrary Command Execution Date: 2009-06-01

ASUS DSL-N12E_C1 - Remote Command Execution Date: 2018-08-02

AVCON6 systems management platform - OGNL Remote Command Execution Date: 2019-09-11

AWStats 6.0 Date: 2005-01-25

AWStats 6.4 Date: 2010-07-03

AWStats Totals 1.14 multisort - Remote Command Execution (Metasploit) Date: 2011-05-25

Alcatel-Lucent OmniPCX Enterprise 7.1 - Remote Command Execution Date: 2007-09-17

Asus RT56U - Remote Command Injection Date: 2013-06-07

BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution Date: 2019-02-05

Barracuda Spam Firewall 3.3.x - 'preview_email.cgi? file' Arbitrary File Access Date: 2006-08-01

Beckhoff CX9020 CPU Module - Remote Code Execution Date: 2015-10-22

Belkin Wemo UPnP - Remote Code Execution (Metasploit) Date: 2019-02-20

CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution Date: 2003-07-10

CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution Date: 2003-07-10

CTEK SkyRouter 4200/4300 - Command Execution (Metasploit) Date: 2011-11-30

Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution Date: 2019-07-12

Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection Date: 2019-05-03

D-Link - OS-Command Injection via UPnP Interface Date: 2013-07-07

Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution Date: 2019-04-10

Dogfood CRM - 'spell.php' Remote Command Execution (Metasploit) Date: 2010-07-03

EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution Date: 2017-06-04

Enigma NMS 65.0.0 - OS Command Injection Date: 2019-09-09

EyeLock nano NXT 3.5 - Remote Code Execution Date: 2016-08-10

FLIR Thermal Camera FC-S/PT - Command Injection Date: 2017-09-25

FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution Date: 2012-03-23

Fritz! Box - Remote Command Execution Date: 2014-05-01

Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit) Date: 2017-02-15

Gitorious Remote Command Execution Date: 2012-01-28

HP OpenView Network Node Manager 7.50 - Remote Command Execution Date: 2005-08-30

HomeMatic Zentrale CCU2 - Remote Code Execution Date: 2018-07-18

Hootoo HT-05 - Remote Code Execution (Metasploit) Date: 2019-01-14

Iris ID IrisAccess ICU 7000-2 - Remote Command Execution Date: 2016-07-26

LG SuperSign EZ CMS 2.5 - Remote Code Execution Date: 2018-09-24

Linksys WAG54G2 - Web Management Console Arbitrary Command Execution Date: 2009-06-01

MiCasaVerde VeraLite - Remote Code Execution Date: 2016-10-20

Mitel AWC - Command Execution Date: 2010-12-22

Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell Date: 2019-08-12

NETGEAR R7000 - Command Injection Date: 2016-12-07

NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution Date: 2018-07-23

NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution Date: 2018-07-23

Nagios 3.0.6 - 'statuswml.cgi' Arbitrary Shell Command Injection Date: 2009-05-22

NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection Date: 2017-02-23

Netscaler SD-WAN - Command Injection (Metasploit) Date: 2017-07-19

OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'welcome' Remote Command Execution (Metasploit) Date: 2015-01-05

OP5 7.1.9 - Remote Command Execution Date: 2016-04-08

OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution Date: 2017-07-03

Oracle Weblogic / - Remote Code Execution Date: 2019-04-30

PHPMoAdmin - Unauthorized Remote Code Execution Date: 2015-03-03

Plone and Zope - Remote Command Execution Date: 2011-12-21

QuickTime Streaming Server - 'parse_xml.cgi' Remote Execution (Metasploit) Date: 2010-07-03

Realtek SDK - Miniigd UPnP SOAP Command Execution (Metasploit) Date: 2015-06-01

Redmine SCM Repository 0.9.x/1.0.x - Arbitrary Command Execution (Metasploit) Date: 2011-01-08

Rocket Servergraph Admin Center - fileRequestor Remote Code Execution (Metasploit) Date: 2014-06-18

Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit) Date: 2016-10-17

SAPIDO RB-1732 - Remote Command Execution Date: 2019-06-25

Sar2HTML 3.2.1 - Remote Command Execution Date: 2019-08-02

Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection Date: 2019-05-14

Seowonintech Devices - Remote Command Execution Date: 2013-06-24

Spreecommerce 0.60.1 - Arbitrary Command Execution (Metasploit) Date: 2011-10-07

Technicolor TD5130.2 - Remote Command Execution Date: 2019-11-13

Thomson Reuters Velocity Analytics - Remote Code Injection Date: 2013-11-22

Ubiquity Nanostation5 (Air OS) - Remote Command Execution Date: 2010-07-01

VMware NSX SD-WAN Edge Date: 2018-07-02

WePresent WiPG-1000 - Command Injection (Metasploit) Date: 2017-04-25

Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) Date: 2019-08-12

Wireless IP Camera (P2P) WIFICAM - Remote Code Execution Date: 2017-03-08

Wireless IP Camera (P2P) WIFICAM - Remote Code Execution Date: 2017-03-08

Wireless IP Camera (P2P) WIFICAM - Remote Code Execution Date: 2019-03-08

Xfinity Gateway - Remote Code Execution Date: 2016-12-02

Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution Date: 2019-12-09

Yealink VoIP Phone SIP-T38G - Remote Command Execution Date: 2014-06-13

ZeroShell 'cgi-bin/kerbynet' - Local File Disclosure Date: 2013-09-25

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: Threat Report Thursday December 5th 2019

Share this on:

Paul Scott

Paul Scott
on December 19, 2019

Perchy Subscribe to our blog