Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label E-commerce Websites Compromised. Show all posts
internet outage
Amazon AWS Cyber incidents Cyber Outage Cyber Security E-commerce Websites Compromised internet outage

AWS Apologizes for Massive Outage That Disrupted Major Platforms Worldwide

 

Amazon Web Services (AWS) has issued an apology to customers following a widespread outage on October 20 that brought down more than a thousand websites and services globally. The disruption affected major platforms including Snapchat, Reddit, Lloyds Bank, Venmo, and several gaming and payment applications, underscoring the heavy dependence of the modern internet on a few dominant cloud providers. The outage originated in AWS’s North Virginia region (US-EAST-1), which powers a significant portion of global online infrastructure. 

According to Amazon’s official statement, the outage stemmed from internal errors that prevented systems from properly linking domain names to the IP addresses required to locate them. This technical fault caused a cascade of connectivity failures across multiple services. “We apologize for the impact this event caused our customers,” AWS said. “We know how critical our services are to our customers, their applications, and their businesses. We are committed to learning from this and improving our availability.”

While some platforms like Fortnite and Roblox recovered within a few hours, others faced extended downtime. Lloyds Bank customers, for instance, reported continued access issues well into the afternoon. Similarly, services like Reddit and Venmo were affected for longer durations. The outage even extended to connected devices such as Eight Sleep’s smart mattresses, which rely on internet access to adjust temperature and elevation. 

The company stated it would work to make its systems more resilient after some users reported overheating or malfunctioning devices during the outage. AWS’s detailed incident summary attributed the issue to a “latent race condition” in the systems managing the Domain Name System (DNS) records in the affected region. Essentially, one of the automated processes responsible for maintaining synchronization between critical database systems malfunctioned, triggering a chain reaction that disrupted multiple dependent services. Because many of AWS’s internal processes are automated, the problem propagated without human intervention until it was detected and mitigated. 

Dr. Junade Ali, a software engineer and fellow at the Institute for Engineering and Technology, explained that “faulty automation” was central to the failure. He noted that the internal “address book” system in the region broke down, preventing key infrastructure components from locating each other. “This incident demonstrates how businesses relying on a single cloud provider remain vulnerable to regional failures,” Dr. Ali added, emphasizing the importance of diversifying cloud service providers to improve resilience. 

The event once again highlights the concentration of digital infrastructure within a few dominant providers, primarily AWS and Microsoft Azure. Experts warn that such dependency increases systemic risk, as disruptions in one region can have global ripple effects. Amazon has stated that it will take measures to strengthen fault detection, introduce greater redundancy, and enhance the reliability of automated processes in its network. 

As the world grows increasingly reliant on cloud computing, the AWS outage serves as a critical reminder of the fragility of internet infrastructure and the urgent need for redundancy and diversification.
Read more »
Malwares
Cyber Attacks Cyber Threat Intelligence DLL E-commerce Websites Compromised Malicious Software Malware Attack Malwares

LegionLoader Malware Resurfaces with Evasive Infection Tactics

 

Researchers at TEHTRIS Threat Intelligence have uncovered a new wave of LegionLoader, a malware downloader also known as Satacom, CurlyGate, and RobotDropper. This sophisticated threat has been rapidly gaining momentum, with over 2,000 samples identified in recent weeks. 

According to TEHTRIS, the ongoing campaign began on December 19, 2024, and has since spread globally, with Brazil emerging as the most affected country, accounting for around 10% of reported cases. LegionLoader primarily infects systems through drive-by downloads, where users unknowingly download malicious software from compromised websites. 

Cybercriminals behind this campaign frequently leverage illegal download platforms and unsecured web pages, which are quickly taken down after redirecting victims to Mega cloud storage links containing a single ZIP file. These ZIP archives house a 7-Zip password-protected file, making it difficult for security tools to scan the contents. 

To further deceive users, a separate image file displays the password required for extraction, enticing them to execute the malware. Once extracted, LegionLoader is deployed as an MSI (Microsoft Installer) file, requiring user interaction to execute. TEHTRIS researchers found that antivirus detection rates for these MSI files range between 3 and 9 out of 60, indicating the malware’s ability to evade traditional security measures. 

The MSI file also includes two key anti-sandbox mechanisms: a fake CAPTCHA prompt to prevent automated analysis and a virtual environment detection feature using Advanced Installer. These obstacles make it challenging for security researchers to analyze the malware in controlled environments. Upon execution, LegionLoader extracts multiple files into the system’s %APPDATA% directory, including clean DLLs, executables, and a password-protected archive containing the primary payload. 

The malware then uses UnRar.exe to extract a DLL file, which is sideloaded using obsffmpegmux.exe to execute the next stage of the attack. Notably, the obs.dll payload is crafted to evade detection by security tools. TEHTRIS analysis found that most of its exports are empty, while the few containing code appear intentionally misleading, likely to slow down forensic investigation. 

Further examination using BinDiff revealed that while different obs.dll samples were structurally identical, variations existed in their second-stage payloads. During dynamic analysis, researchers observed shellcode decryption, leading to the execution of another malicious component. This secondary stage communicates with hardcoded command-and-control (C2) servers, though all identified C2 domains were inactive at the time of analysis, preventing further insights into the malware’s final objective. 

If all infection stages are completed, LegionLoader attempts to execute a final payload using rundll32.exe. The malware downloads an additional file, places it in a randomly named directory under %TMP%, and launches it as svchost.exe. Given the use of rundll32.exe, researchers suspect the final payload is another malicious DLL, though its specific function remains unknown.

To protect against LegionLoader, security experts advise avoiding software downloads from unverified sources and implementing behavior-based detection strategies. These proactive measures can help mitigate the risks posed by evolving malware threats.
Read more »
Windows
Content Management System Cyberattack. E-commerce Websites Compromised Golang Linux StealthWorker Windows

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.
Read more »
Subscribe to: Comments (Atom)