Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Botnet. Show all posts
Vulnerabilities and Exploits
Botnet Botnet attack Log4Shell Malware Threats Vulnerabilities and Exploits

FritzFrog’s Evolution: Exploiting Log4Shell Vulnerability Reveals Alarming Tactics

 

In a startling development, the notorious FritzFrog botnet, which first emerged in 2020, has undergone a significant transformation by exploiting the Log4Shell vulnerability. Unlike its traditional approach of focusing on internet-facing applications, this latest variant is now aggressively targeting all hosts within a victim's internal network, according to recent findings by Akamai researchers, a leading cybersecurity and content delivery network provider. 

Originally recognized for its use of brute-force attacks on SSH to compromise servers and deploy cryptominers, FritzFrog has adopted a new campaign named "Frog4Shell." This campaign leverages the Log4Shell vulnerability, a flaw in the widely used Log4j web tool, discovered in 2021. Despite extensive global patching efforts initiated by governments and security companies, the Log4Shell bug remains a persistent threat. 

Frog4Shell represents a paradigm shift in FritzFrog's tactics. The malware now goes beyond the conventional approach of compromising high-profile internet-facing applications. Instead, it meticulously scans and reads system files on compromised hosts to identify potential targets within internal networks, particularly vulnerable Java applications. 

This evolution is particularly concerning as it exposes neglected and unpatched internal machines, exploiting a circumstance often overlooked in previous security measures. Even if organizations have patched their high-profile internet-facing applications, FritzFrog's latest variant poses a risk to the entire internal network. 

Akamai, a leading cybersecurity and content delivery network provider, has observed over 20,000 FritzFrog attacks and identified more than 1,500 victims over the years. The malware's latest features include enhanced privilege escalation capabilities, evasion tools against cyber defences, and the potential for incorporating additional exploits in future versions. 

While approximately 37% of infected nodes are located in China, the exact location of the FritzFrog operator remains to be determined. This strategic ambiguity suggests an effort to mask the true identity or origin of the threat actor. 

As FritzFrog continues to evolve and adapt, organizations are urged to prioritize comprehensive patching strategies encompassing not only internet-facing assets but also internal hosts. The ongoing threat landscape underscores the importance of staying vigilant against sophisticated botnet tactics and proactively securing networks to mitigate potential risks associated with Log4Shell and the advanced exploits employed by FritzFrog. 
Read more »
Proxy Service
Amadey Botnet malware PrivateLoader Proxy Service

Socks5Systemz Proxy Service Impacts 10,000 Systems Globally

 

A proxy botnet identified as 'Socks5Systemz' has been infecting computers across the globe with the 'PrivateLoader' and 'Amadey' malware loaders, with 10,000 infected devices currently. 

The malware infects computers and transforms them into traffic-forwarding proxies for malicious, illegal, or concealed traffic. It supplies this service to customers who pay between $1 and $140 per day in cryptocurrency to access it. 

Socks5Systemz is detailed in a BitSight report, which clarifies that the proxy botnet has been active since at least 2016, but has remained largely unnoticed until recently. 

The Socks5Systemz bot is propagated by the PrivateLoader and Amadey malware, which are frequently distributed through phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, and other techniques.

The BitSight samples are called 'previewer.exe,' and their task is to inject the proxy bot into the host's memory and establish persistence for it through a Windows service called 'ContentDWSvc.' 

The payload for the proxy bot is a 300 KB 32-bit DLL. It connects to its command and control (C2) server via a domain generation algorithm (DGA) system and sends profiling information about the infected machine. 

In response, the C2 can issue one of the following commands: 

  • Idle: Take no action.
  • connect: Establish a connection to a backconnect server. 
  • disconnect: This command disconnects you from the backconnect server. 
  • updips: Update the list of IP addresses authorized to send traffic. 
  • upduris: Not yet implemented. 

The connect command, which instructs the bot to establish a backconnect server connection over port 1074/TCP, is critical. 

The infected device can now be used as a proxy server and sold to other threat actors once connected to the threat actors' infrastructure. It uses fields to figure out the IP address, proxy password, list of blocked ports, and so on when connecting to the backconnect server. 

These field parameters ensure that only bots on the allowlist with the required login credentials can connect with the control servers, preventing unauthorised attempts. 

Impact of illegal business

A large control infrastructure comprising 53 proxy bot, backconnect, DNS, and address acquisition servers spread largely across France and Europe (Netherlands, Sweden, Bulgaria) was mapped by BitSight. 

There are two subscription tiers for Socks5Systemz proxying services: "Standard" and "VIP." Customers can pay for their subscriptions using the anonymous (no KYC) payment gateway "Cryptomus." 

In order to be added to the bot's allowlist, subscribers must specify the IP address through which the proxied traffic will originate. 

VIP users are able to use 100–5000 threads and describe the proxy type as HTTP, SOCKS4, or SOCKS5, while standard subscribers are restricted to a single thread and proxy type. 

Unauthorised bandwidth hijacking and internet security are significantly affected by the profitable business of residential proxy botnets. These services are very popular because they are often used for circumventing geo-restrictions and shopping bots. 

A vast proxy network with over 400,000 nodes was exposed by AT&T analysts in August. Unaware Windows and macOS users were acting as exit nodes in this network, channelling other people's internet traffic.
Read more »
User Data
Botnet Data Leak Data Privacy Malicious App Mobile Security User Data

NightOwl App is Targeting Older Macs to Siphon User Data

 

The NightOwl app, which was once a popular option for automatically transitioning between dark and light modes on macOS Mojave, has been identified to secretly store user data. 

NightOwl was initially introduced in 2018 as a third-party software to fix the lack of an automated switching capability, and it quickly attracted a user base. However, with the release of official macOS dark mode capabilities, the app became outdated.

It was recently discovered that NightOwl had been stealthily upgraded to add malicious code that transformed users' devices into botnet agents. The app turned out to be operating a local HTTP proxy without the users' knowledge or consent, transferring their IP data through a server network.The app's settings could not be disabled, forcing users to enter commands in the Terminal app to delete the code from their devices. 

Due to the removal of the app from the NightOwl website and app store, it is unclear how many individuals were impacted by this criminal activity. The app's website says that over 27,000 users have downloaded it more than 141,000 times. The NightOwl proprietors claim that they are cooperating with antivirus firms to swiftly resolve the issue and deny any misconduct.

Taylor Robinson, a web developer who identified the app's nefarious activity, identified that NightOwl was purpose-built to remain anonymous. The botnet connection was created on the device's principal user account and executed every time booted up. The app's owners claimed that they merely collected users' IP addresses and that this was indicated in their terms and conditions. 

While there is no proof that more than IP addresses were collected, the app owners went to considerable length to hide their trails. The app's terms of service were amended in June, adding language that required users' computers to act as a gateway for sharing internet traffic with third parties. 

The NightOwl app serves as a warning tale for users to be aware of third-party software and to frequently evaluate their installed programmes for any potential privacy or security risks.
Read more »
TTPs
Botnet Malicious Payload malware Malware Service ransomware attacks Threat Landscape TTPs

Ransomware Makes Up 58% of Malware Families Sold as Services

 

Ransomware has emerged as the most pervasive Malware-as-a-Service (MaaS) during the past seven years, according to a new study from the Kaspersky Digital Footprint Intelligence team. Based on analysis of 97 malware families that were disseminated via the dark web and other sites, the study was undertaken. The researchers also discovered that hackers frequently rent infostealers, botnets, loaders, and backdoors to conduct their attacks.

An illegal business concept called malware-as-a-service (MaaS) involves renting out software to commit cyberattacks. Clients of these services are typically provided with a personal account via which they may manage the attack as well as technical support. 

Ransomware the most widely used malware-as-a-Service

In order to determine the popular types, Kaspersky's experts assessed the sale quantities of different malware families as well as mentions, debates, posts, and search advertising on the darknet and other sites regarding MaaS. The dominant force turned out to be ransomware, or malicious software that encrypts data and demands payment to decrypt it. Of all the families supplied under the MaaS model between 2015 and 2022, it accounted for 58%. Ransomware's appeal can be ascribed to its capacity to produce greater earnings than other forms of malware in a shorter amount of time.

Ransomware-as-a-service (RaaS) allows cybercriminals to "subscribe" for nothing. They start paying for the service after the attack occurs after they are partners in the programme. A portion of the victim's ransom payment, usually between 10% and 40% of each transaction, determines the payout amount. Entering the programme, meanwhile, is not an easy undertaking because there are strict qualifications. 

Infostealers made up 24% of malware families offered as a service throughout the analysed time frame. These are malicious software meant to steal information, including usernames, passwords, banking information, browsing history, data from cryptocurrency wallets, and more. 

Subscription-based payment methods are used for infostealer services. The cost per month ranges from 100 to 300 dollars in the United States. For instance, Raccoon Stealer, which was cancelled in the first few days of February 2023, could be purchased for 275 dollars per month or 150 dollars per week. According to information provided on the Darknet by its operators, RedLine's rival charges 150 dollars a month and also offers the chance to buy a lifetime licence for 900 dollars. 

Botnets, loaders, and backdoors were found to be present in 18% of malware families offered as services. Since many of these threats share the same objective—uploading and running further malware on the victim's device—they are grouped together as a single threat. 

Prevention tips

Kaspersky experts advise the following to safeguard your business from such threats: 

  • To stop hackers from breaking into your network by taking advantage of vulnerabilities, keep the software updated on all the devices you use.
  • Update your systems with fixes as soon as new vulnerabilities are discovered. Threat actors cannot exploit the vulnerability after it has been downloaded. 
  • To stay informed about the real TTPs employed by threat actors, use the most recent threat intelligence data. 
  • Investigate an adversary's perception of your company's resources with the aid of Kaspersky Digital Footprint Intelligence to quickly identify any potential attack vectors you may have. This also aids in spreading awareness of the threats that cybercriminals are currently posing so that you can timely alter your defences or implement countermeasures and elimination strategies.
Read more »
URL
APT Backdoor Botnet Chinese Hackers Data Breach Sensitive Information Software URL

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.
Read more »
Software
Botnet Cloud Network Cyber Security Google Malicious actor Software

Google Takes Down Cryptbot Malware Infrastructure

Google has taken down the infrastructure and distribution network linked to the Cryptbot info stealer, a malware that was being used to infect Google Chrome users and steal their data. The move comes after the tech giant filed a lawsuit against those using the malware to carry out illegal activities.

Cryptbot is a type of malware that steals sensitive information from infected devices, including usernames, passwords, and credit card details. The malware is typically spread through phishing emails and malicious websites, and can be difficult to detect and remove once it has infected a device.

Google's lawsuit targets the infrastructure and distribution network behind the Cryptbot malware, with the aim of disrupting its operations and reducing the number of victims. By taking down the infrastructure, Google hopes to make it harder for cybercriminals to distribute the malware and infect new devices.

The move is part of Google's ongoing efforts to protect its users from cyber threats and keep its platform safe and secure. In recent years, the company has invested heavily in developing advanced security measures to detect and prevent malware and other malicious activities.

However, cybercriminals are constantly evolving their tactics and finding new ways to exploit vulnerabilities in systems and software. This means that companies like Google need to stay vigilant and proactive in their efforts to protect their users.

In addition to taking down the Cryptbot infrastructure, Google is also urging Chrome users to take steps to protect themselves from malware and other cyber threats. This includes keeping their software up to date, using strong and unique passwords, and being wary of suspicious emails and websites.

Google's efforts to disrupt the Cryptbot malware operation are an important step in the fight against cybercrime. By targeting the infrastructure and distribution network behind the malware, the company is helping to reduce the number of victims and make the internet a safer place for everyone.

Read more »
Software
Botnet Data Breach Data Extortion DDOS Attacks. Ransomware Attacks. Software

HinataBot: The Growing DDoS Threat

 

The emergence of the HinataBot botnet has the cybersecurity community on high alert, as it has the potential to launch massive DDoS attacks with a capacity of 3.3 Tbps. This new botnet, which is based on Golang and exploits vulnerable devices, was first discovered by cybersecurity researchers in March 2023.

According to experts, the HinataBot botnet is incredibly sophisticated and could be difficult to detect and remove. It is also highly scalable, which means that it can easily expand to include thousands or even millions of devices. This makes it a serious threat to businesses and organizations of all sizes.

The HinataBot botnet is able to exploit devices that have not been properly secured, such as those that still use default login credentials. Once it has gained access to a device, it can then be used to launch DDoS attacks, which can disrupt entire networks and cause significant financial and reputational damage to businesses.

As of now, it is not clear who is behind the HinataBot botnet, but it is suspected to be a criminal group with sophisticated skills and resources. It is believed that the botnet is being used for financial gain, such as through ransom demands or by using it to extort businesses and organizations.

To protect against the threat of the HinataBot botnet, it is important to ensure that all devices are properly secured with strong passwords and up-to-date security software. Additionally, businesses and organizations should regularly monitor their networks for any signs of suspicious activity and have a comprehensive incident response plan in place.

In conclusion, the emergence of the HinataBot botnet is a reminder of the ongoing threat posed by cybercriminals and the need for businesses and organizations to remain vigilant and take proactive steps to protect their networks and data. Failure to do so could result in devastating consequences, both financially and operationally.
Read more »
User Security
Botnet Data Safety Malicious Document malware User Security

Emotet Recurs: Avoids Macro Security Using OneNote Attachments

 

Microsoft OneNote email attachments are now being used to spread the infamous Emotet malware, which is making a brief comeback. This malware aims to compromise systems by getting around macro-based security measures. 

Despite attempts by law enforcement to neutralise it, Emotet, connected to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, remains a formidable and tenacious menace. 

Emotet is a variant of the banking worm Cridex, which was later replaced by Dridex around the time GameOver Zeus was shut down in 2014. Since then, Emotet has developed into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion."

While Emotet infections served as a conduit for Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its reappearance in late 2021 was made possible by TrickBot. 

"Emotet is renowned for extended periods of inactivity, which often occur numerous times per year, during which the botnet maintains a steady-state but does not send spam or malware," Secureworks writes in its profile of the actor. 

Dropper malware is typically disseminated via spam emails with malicious attachments. Nevertheless, with Microsoft taking steps to prevent macros from being included in downloaded Word files, OneNote attachments have emerged as an intriguing alternative avenue.

"The OneNote file is basic but effective at social engineering users with a bogus message claiming that the document is protected," Malwarebytes explained in a new alert. "Victims will accidentally double-click on an embedded script file when told to double-click on the View button." 

The Emotet binary payload can be retrieved and run from a remote server using the Windows Script File (WSF). Cyble, IBM X-Force, and Palo Alto Networks Unit 42 have all made results that are in line with ours. Nonetheless, Emotet still makes use of booby-trapped documents with malicious macros to spread its payload, luring users using social engineering tricks to enable the macros that start the attack cycle. 

According to several reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro, such documents have been seen to use a method known as a "decompression bomb" to cloak an extremely large file (more than 550 MB) within ZIP archive attachments so that it would go unnoticed.

This is accomplished by padding the document with 00-bytes at the conclusion in order to artificially increase the file size and go beyond the restrictions set by anti-malware programmes.

The most recent advancement shows how adaptable and quick the operators are when adjusting attachment types for initial delivery to avoid detecting signatures. It also coincides with a rise in the number of OneNote documents being used by threat actors to disseminate a variety of malware, including AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm. 

Manufacturing, high-tech, telecom, finance, and energy are emerging as the top targeted sectors, according to Trellix, which claims that the majority of malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia.
Read more »
Online Protection
Bot Malware Botnet Computer virus Cyber Security Cybersecurity Online Protection

Beware of Bot Malware: Understanding the Dangers and How to Protect Your Computer


How Bot Malware Spreads and Infects Your Computer

Bot malware, also known as botnet malware, is a type of malicious software designed to create a network of infected computers or "bots" that can be remotely controlled by a hacker. These bots are typically used for a variety of nefarious purposes, including launching distributed denial of service (DDoS) attacks, stealing personal and financial information, and spreading other types of malware.

Bot malware typically spreads through a variety of methods, including email attachments, malicious websites, and infected software downloads. Once it infects a computer, the malware will attempt to connect to a command-and-control (C&C) server controlled by the hacker. This server can then send instructions to the infected bots, which can include tasks such as launching a DDoS attack on a target website or stealing sensitive information from the infected computer.

The Dangers of Bot Malware and Its Ability to Cause Significant Damage

One of the biggest dangers of bot malware is its ability to quickly spread and infect large numbers of computers. Once a botnet has been established, the hacker can use it to launch coordinated attacks on a wide range of targets, including businesses, government agencies, and individuals. These attacks can cause significant damage, both in terms of financial losses and reputational damage.

How to Detect and Remove Bot Malware from Your Computer

Bot malware can also be difficult to detect and remove. Because it operates in the background of an infected computer, it may not show any obvious signs of infection. This means that the malware can continue to spread and cause damage without the user even realizing that their computer has been compromised. Additionally, bot malware may be designed to evade traditional antivirus software, making it even more difficult to detect and remove.

To protect against bot malware, it is important to follow best practices for computer security. This includes keeping software up to date with the latest security patches, using strong passwords and two-factor authentication, and being cautious when opening email attachments or downloading software from unknown sources. It is also important to use antivirus software and regularly scan your computer for malware.

Best Practices for Protecting Your Computer Against Bot Malware

If you suspect that your computer has been infected with bot malware, it is important to take immediate action to remove the malware and prevent further damage. This may involve using specialized malware removal tools or seeking the assistance of a professional computer security expert.

In conclusion, bot malware is a dangerous and pervasive threat that can cause significant damage to individuals and organizations alike. By following best practices for computer security and being vigilant for signs of infection, you can help protect yourself from this type of malware and reduce the risk of falling victim to a botnet attack.




Read more »
Ukraine
Artifical Inteligence Botnet ChatGPT Checkpoint Tipline McAfee Privacy Ukraine

Cybercriminals Use ChatGPT to Ease Their Operations

 

Cybercriminals have already leveraged the power of AI to develop code that may be used in a ransomware attack, according to Sergey Shykevich, a lead ChatGPT researcher at the cybersecurity firm Checkpoint security.

Threat actors can use the capabilities of AI in ChatGPT to scale up their current attack methods, many of which depend on humans. Similar to how they aid cybercriminals in general, AI chatbots also aid a subset of them known as romance scammers. An earlier McAfee investigation noted that cybercriminals frequently have lengthy discussions in order to seem trustworthy and entice unwary victims. AI chatbots like ChatGPT can help the bad guys by producing texts, which makes their job easier.

The ChatGPT has safeguards in place to keep hackers from utilizing it for illegal activities, but they are far from infallible. The desire for a romantic rendezvous was turned down, as was the request to prepare a letter asking for financial assistance to leave Ukraine.

Security experts are concerned about the misuse of ChatGPT, which is now powering Bing's new, troublesome chatbot. They see the potential for chatbots to help in phishing, malware, and hacking assaults.

When it comes to phishing attacks, the entry barrier is already low, but ChatGPT could make it simple for people to proficiently create dozens of targeted scam emails — as long as they craft good prompts, according to Justin Fier, director for Cyber Intelligence & Analytics at Darktrace, a cybersecurity firm.

Most tech businesses refer to Section 230 of the Communications Decency Act of 1996 when addressing illegal or criminal content posted on their websites by third party users. According to the law, owners of websites where users can submit content, such as Facebook or Twitter, are not accountable for what is said there. Governments should be in charge of developing and enforcing legislation, according to 95% of IT respondents in the Blackberry study.

The open-source ChatGPT API models, which do not have the same content limitations as the online user interface, are being used by certain hackers, according to Shykevich.ChatGPT is notorious for being boldly incorrect, which might be an issue for a cybercriminal seeking to create an email meant to imitate someone else, experts told Insider. This could make cybercrime more difficult. Moreover, ChatGPT still uses barriers to stop illegal conduct, even if the correct script can frequently get around these barriers.
Read more »
IP Address
Botnet Cloud Computing Cloudfare Cyber Attacks DDOS Attacks FBI HTTP IP Address

 Massive DDoS Attack was Thwarted by Cloudflare

 

Prioritized firms like gaming providers, hosting providers, cloud computing platforms, and cryptocurrency enterprises, according to Cloudflare, emanated from more than 30,000 IP addresses.
The greatest volumetric distributed denial-of-service (DDoS) attack that Cloudflare has seen to date was stopped.

The greatest attack, which is the largest documented HTTP DDoS attack, topped 71 million rps, per Cloudlare's analysis. The volume is 35% greater than the previous record, 45 million rps from June 2022, which had been recorded.

The FBI accused six suspects of their involvement in running 'Booter' or 'Stresser' platforms, which anybody can use to execute DDoS attacks, in response to this stream of continuously escalating attacks, and seized dozens of Internet domains. Operation PowerOFF, a larger, more coordinated worldwide law enforcement operation against DDoS-for-hire services, included the action.

Cloudflare has been collaborating with the victims to strike down the botnet and is providing service providers with a free botnet threat feed that will transmit threat intelligence from their IP and any ongoing attacks coming from their hosted autonomous system.

Researchers cautioned entities to take action immediately before the next campaign: protecting against DDoS attacks is crucial for organizations of all sizes, even while DDoS attacks on non-critical websites might not result in permanent harm or safety hazards. DDoS attacks against internet-facing equipment and patient-connect technology in the healthcare industry put patients' safety at risk.



Read more »
Windows
Botnet Data Safety Security ICedID Malvertising malware Windows

IcedID Botnet Distributors Abuse Google PPC to Disseminate Malware

 

To improve traffic and sales, businesses utilize Google Ads to deliver adverts to specific target populations. The IcedID botnet distributors have been using SEO poisoning, since the beginning of December to entice search engine users to visit phoney websites that result in the download of malware.
In order to display malicious ads above the organic search results, attackers are choosing and ranking keywords used by well-known businesses and applications in Google pay-per-click (PPC) ads.
  • Attackers are abusing terms used by organizations including Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others, according to Trend Micro researchers.
  • Attackers employ the official Keitaro Traffic Direction System (TDS) to duplicate the websites of reputable companies and well-known applications in order to filter researcher and sandbox traffic and direct potential victims there.
  • A malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded onto the user's computer if they click the Download button.
  • The file serves as the bot's initial loader, obtaining the bot's core before releasing a backdoor payload.
 Escaping Detection:

IcedID operators have employed a number of strategies in malvertising attacks to make detection difficult. Libraries like tcl86.dll, sqlite3.dll, conEmuTh.x64.dll, and libcurl.dll, which are well-known and often used, are among the files updated to serve as IcedID loaders.

Since the genuine and modified versions of the MSI or installer files are so similar, machine learning detection engines and whitelisting systems have a difficult time identifying the modified versions.

In recent months, cybercriminals have utilised IcedID to establish persistence on the host, get initial access, and carry out other illegal activities. Attackers were seen utilising phishing emails in Italian or English in October to distribute IcedID through ISO files, archives, or document attachments that contained macros. The UAC-0098 group was observed in September using IcedID and Cobalt Strike payloads to target Ukrainian NGOs and organisations in Italy.

IcedID was being used by Raspberry Robin worm infestations in the same month. Recently, a wide range of distribution techniques has been used by the threat actors behind IcedID, as is to be expected as they test which tactics are most effective against certain targets. Users should be on the lookout for fraud or phishing websites and be cautious while downloading from websites.
Read more »
Minecraft
Botnet Cybersecurity malware Microsoft Minecraft

New Botnet Targeting Minecraft Servers Could be a Threat to Enterprises


Enterprises are being affected significantly more by the constant spread of a newly discovered botnet, that is apparently targeting private Minecraft Java servers than simply bumming out a biome. 

According to a report published by researchers at Microsoft on December 16, this new botnet is utilized in order to aid DDoS attacks on Minecraft servers. This may sound trivial, but enterprises must take an account since this botnet could potentially as well target Windows and Linux devices, spreading rapidly without being detected. 

Launch of The Attack

The attack begins with the online user downloading malicious downloads of “cracked” Windows licenses.  

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices […] Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet," the Defender team explains in a report. 

The security researchers further recommend that organizations strengthen their device network in order to evade any such threats. It was furthermore revealed that most of the devices infected were in Russia. 

Enterprises Beware

The sheer number of potentially targeted servers and the scarce cyber protection on private Minecraft servers, make this botnet a threat to be taken seriously by the cybersecurity teams, warns Patrick Tiquet, Vice president of security architecture at Keeper Security. 

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets […] Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future," he explains. 

Besides the malware, Microsoft’s recommendations are a smart idea for safeguarding the company against all kinds of botnets, not simply those that target Minecraft, according to Mike Parkin of Vulcan Cyber.  

Read more »
SQL
Botnet Cloud Security Command and Control(C2) cryptomining DNS Flaw Hackers malware SQL

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


Read more »
RCEs
Botnet Evil Corp Malicious Camapign malware RCEs

Evil Corp-Affiliated Truebot Malware Changes its Strategy to Target RCEs and USBs

 

A growing number of devices are being infected by the threat group Silence with the Truebot malware. The information was discovered by Cisco Talos analysts, who also hypothesized a link between Silence and notorious hacker outfit Evil Corp (tracked by Cisco as TA505). 

In an advisory released last week, the security firm claims that the campaign it tracked led to the development of two botnets, one with infections spread over the globe (especially in Mexico and Brazil), and the other more recently targeted at the US. 

"We detected a number of compromised education sector organizations, albeit we do not have enough information to determine that there is a specific concentration on a sector,” the advisory reads. 

Tiago Pereira, a security researcher with Cisco Talos, thinks that Truebot is a precursor to other dangers that are known to have been behind attacks that resulted in significant losses. 

The attackers show agility in adopting new delivery methods, so readers should think of this as the first phase of what might be a severe attack, Pereira advised. 

Additionally, Cisco Talos added that Silence is moving away from utilizing infected emails as its main mode of delivery and toward new approaches. This is in addition to increasing its targets. 

"A greater percentage of attacks used Raspberry Robin, contemporary malware disseminated via USB devices, as a delivery mechanism in October. We have a mediocre degree of confidence that the attackers began using yet another method to spread the virus in November " the researchers added.

Additionally, according to the technical write-up, post-compromise activities involved data theft and the deployment of the Clop ransomware. 

We discovered what appears to be a completely functional proprietary data exfiltration tool, which we are calling "Teleport," that was heavily used to steal information during one of these attacks while we were studying it. 

The data exfiltration process was made better by Teleport's many capabilities, which included limiting upload speed and file size, encrypting connections with a unique protocol, and having the ability to erase itself after use. Teleport was created in C++. 

A very recent Netwrix vulnerability was also exploited by Silence while Cisco Talos was conducting its study (tracked CVE-2022-31199). 

“This vulnerability had just recently been published, only a few weeks before the attacks, and the number of systems exposed via the internet is believed to be fairly modest," the researchers concluded.

This implies that the attackers are quick to test new infection vectors and incorporate them into their workflow in addition to being on the watch for them. The malware tools mentioned above were not first used by the Silence threat organization. Raspberry Robin was connected to the Clop and LockBit ransomware organizations, according to a Microsoft advisory from October.
Read more »
Windows
Botnet Cyber Security Endpoint FortiGuard IoT devices Protocol Windows

Several Security Breaches Exploited by Zerobot Botnet

 

FortiGuard Labs discovered a special botnet named Zerobot that was seen in the field spreading by exploiting nearly twenty security flaws in IoT devices or other programs.

Prior to downloading a script for further propagation, Zerobot targets multiple vulnerabilities to obtain access to a device. Zerobot targets several different architectures, such as i386, amd64, arm, mips, mips64, mipsle, ppc64, ppc64le, riscv64, and s390x. Zero is the filename used to save the bot.

On November 18, 2022, the malware made its first public appearance, mostly affecting Windows and Linux-powered computers.

Prior to November 24, the first one was simply equipped with the most fundamental features. The newest version now has a 'selfRepo' module that allows it to replicate itself or infect more endpoints using various protocols or security holes.

The bot connects the remote command-and-control (C2) server after infecting the machine and waits for further instructions. There are 21 exploits in Zerobot.This includes flaws affecting,  Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, FLIR AX8 thermal imaging cameras, Zyxel firewalls, TOTOLINK routers, and F5 BIG-IP.

"The botnet includes a variety of modules, including assaults for various protocols, self-replication, and self-propagation. This also uses the WebSocket protocol to connect with its command-and-control server." Researcher Cara Lin from Fortinet FortiGuard Labs remarked.

The Go programming language was used to create the new botnet  Zerobot. The WebSocket protocol is used for communication. Users should be alert to this new danger, update any compromised systems connected to their network, and aggressively deploy updates as soon as they become available.




Read more »
Security
Botnet Crypto Mining Data DDoS malware Malware Authors Safety Security

Malware Authors Unknowingly Take Down Their Own Botnet

 

It is not often that malware authors go through the difficulties of establishing a malicious tool for botnet assembly, only to discover a way to effectively sabotage it themselves. But that seems to be the case with "KmsdBot," a distributed denial-of-service (DDoS) and crypto mining botnet discovered by Akamai researchers last month infecting systems across multiple industries. 

It has since gone mostly silent due to a single incorrectly formatted command on the part of its author. In DDoS attacks, the malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and employs UDP, TCP, and HTTP POST and GET commands. The malware, according to Kaspersky, is designed to target multiple architectures, including Windows, Arm64, and mips64 systems.

Luxury car manufacturers, gaming companies, and IT firms are among those affected by the malware. The threat actors used KmsdBot to execute DDoS attacks in all of the attacks witnessed by Akamai, despite the malware's cryptomining functionality.

Following Akamai's initial disclosure in November, the company's researchers continued to monitor and analyse the threat. They modified a recent sample of KmsdBot as part of the exercise and decided to test various scenarios related to the malware's command and control (C2) functionality.

Akamai researchers discovered a location in the malware's code that consisted the IP address and port for KmsdBot's C2 server and changed it so that the address pointed to Akamai's IP space.

During the testing, Akamai researchers discovered that the bot abruptly stopped working after obtaining a command to send a large amount of junk information to bitcoin.com in an obvious attempt to DDoS the website. According to Cashdollar, the bot lacks error-checking functionality to ensure that the commands it receives are properly formatted. As a result, the Go binary crashes with the error message "index out of range."

He also claims that Akamai was able to reproduce the problem by sending the bot an incorrectly formatted command of its own.

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Notably, the bot does not support any kind of persistence mechanism. As a result, the malware authors' only option for rebuilding the KmsdBot botnet is to infect systems from scratch. Cashdollar asserts that almost all of the KmsdBot-related activity tracked by Akamai in recent weeks has ceased. However, there are indications that threat actors are attempting to infect systems again, he says.
Read more »
ransomware attacks
Botnet Data Wiper malware Ransomware ransomware attacks

Azov Ransomware Tries to Frame Cybersecurity Researchers

 

Azov ransomware, a newcomer to the malware market, is being propagated via pirated software, key generators, and adware bundles, in an attempt to frame security researchers by claiming they are behind the attack. 

The ransom note, named RESTORE_FILES.txt, appears to be politically motivated to push western nations into assisting Ukraine in their war against Russia and claims to have encrypted the file in protest of the seizure of Crimea. 

The note falsely claims on Twitter that security researcher Hasherazade designed the data wiper, with the help of Vitali Kremez, Michael Gillespie, Lawrence Abrams, MalwareHunterTeam and also asks victims to contact the researchers for the recovery of the files. 

According to Lawrence Abrams of BleepingComputer, none of the researchers mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the data wiper. 

Furthermore, the note does not include any contact details for the original author meaning there’s currently no way of retrieving from an Azov infection and hence the ransomware should be treated as a data wiper for the moment. 

 Modus operandi of Azov wiper

In a new campaign started over the past two days, a hacker reportedly purchased installs via the SmokeLoader malware botnet, normally propagated through websites offering pirated content including game mods, cheats, and key generators, to deliver the data wiper. 

Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer info-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files, Bleeping Computer reported. 

To mitigate the risks, users should immediately change the passwords on their online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.
Read more »
User Privacy
Botnet Deepfake Phishing Attacks Privacy Scam TrendMicro User Privacy

 Sophos: Hackers Avoid Deep Fakes as Phishing Attacks are Effective

According to a prominent security counsel for the UK-based infosec business Sophos, the fear of deepfake scams is entirely exaggerated.

According to John Shier, senior security adviser for cybersecurity company Sophos, hackers may never need to utilize deepfakes on a large scale because there are other, more effective ways to deceive individuals into giving up personal information and financial data.

As per Shier, phishing and other types of social engineering are much more effective than deepfakes, which are artificial intelligence-generated videos that imitate human speech.

What are deepfakes?

Scammers frequently use technology to carry out 'Identity Theft'. In order to demonstrate the risks of deepfakes, researchers in 2018 employed the technology to assume the identity of former US President Barack Obama and disseminate a hoax online.

Shier believes that while deepfakes may be overkill for some kinds of fraud, romance scams—in which a scammer develops a close relationship with their victim online in order to persuade them to send them money—could make good use of the technology because videos will give an online identity inherent legitimacy.

Since deepfake technology has gotten simpler to access and apply, Eric Horvitz, chief science officer at Microsoft, outlines his opinion that in the near future, "we won't be able to tell if the person we're chatting to on a video conversation is real or an impostor."

The expert also anticipates that deepfakes will become more common in several sectors, including romance scams. Making convincing false personas requires a significant commitment of time, effort, and devotion, and adding a deepfake does not require much more work. Shier is concerned that deepfaked romance frauds might become an issue if AI makes it possible for the con artist to operate on a large scale.

Shier was hesitant to assign a date for industrialized deepfake bots, but he claimed that the required technology is becoming better and better every year.

The researcher noted that "AI experts make it sound like it is still a few years away from the huge effect." In the interim, we will observe well-funded criminal organizations carrying out the subsequent degree of compromise to deceive victims into writing checks into accounts.

Deepfakes have historically been employed primarily to produce sexualized images and movies, almost always featuring women.

Nevertheless, a Binance PR executive recently disclosed that fraudsters had developed a deepfaked clone that took part in Zoom calls and attempted to conduct bitcoin scams.

Deepfakes may not necessarily be a scammer's primary tactic, but security researchers at Trend Micro said last month that they are frequently used to augment other techniques. The lifelike computerized images have recently appeared in online advertisements, phony business meetings, and job seeker frauds. The distress is that anybody could become a victim because the internet is so pervasive.






Read more »
User Privacy
Botnet Dark Web Data Breach Hacktivists Misinformation Phishing Attacks Russia-Ukraine War SSU User Privacy

30 Million Data Theft Hacktivists Detained in Ukraine

The Security Service of Ukraine's (SSU) cyber division has eliminated a group of hackers responsible for the data theft or roughly 30 million people. 

According to SSU, its cyber branch has dismantled a group of hacktivists who stole 30 million accounts and sold the data on the dark web. According to the department, the hacker organization sold these accounts for about UAH 14 million ($375,000). 

As stated by the SSU, the hackers sold data packs that pro-Kremlin propagandists bought in bulk and then utilized the accounts to distribute false information on social media, generate panic, and destabilize Ukraine and other nations. 

YuMoney, Qiwi, and WebMoney, which are not permitted in Ukraine, were used by the group to receive funds.The police discovered and seized many hard drives containing stolen personal data, alongside desktops, SIM cards, mobile phones, and flash drives, during the raids on the attackers' homes in Lviv, Ukraine. 

By infecting systems with malware, fraudsters were able to gather sensitive data and login passwords. They targeted systems in the European Union and Ukraine. According to Part 1 of Article 361-2 of the Ukrainian Criminal Code, unauthorized selling of material with restricted access, the group's organizer has been put under investigation.

The number of people detained is still unknown, but they are all charged criminally with selling or disseminating restricted-access material stored in computers and networks without authorization. There are lengthy prison terms associated with these offenses.

The gang's primary clients were pro-Kremlin propagandists who utilized the stolen accounts in their destabilizing misinformation efforts in Ukraine and other nations.

The SSU took down five bot farms that spread misinformation around the nation in March and employed 100,000 fictitious social media profiles. A huge bot farm with one million bots was found and destroyed by Ukrainian authorities in August.

The SSU discovered two further botnets in September that were using 7,000 accounts to propagate false information on social media.

Malware producers are frequently easier to recognize, but by using accounts belonging to real people, the likelihood that the operation would be discovered is greatly reduced due to the history of the posts and the natural activity.






Read more »
Subscribe to: Posts (Atom)