Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Botnet. Show all posts

XorBot Evolves with Advanced Evasion Strategies, Targets IoT

 


A resurgence of the XorBot botnet was detected by NSFOCUS, which has been identified as a powerful threat to Internet of Things (IoT) devices across the world. XorBot was first discovered in late 2023; since then, it has evolved significantly, gaining advanced anti-detection mechanisms as well as a wider array of exploits and methods from which to sneak past detection. 

Cybersecurity defenders are now faced with a new challenge, especially in light of the latest version, version 1.04. The XorBot has consistently proven its ability to adapt and evade detection since it was first introduced in 2009. "XorBot is unequivocally one of the biggest threats to the security of the Internet of Things (IoT)," NSFOCUS reports. 

It targets devices such as Intelbras cameras and routers from TP-Link and D-Link, as well as a variety of other internet-connected devices. There are currently up to 12 exploit methods available in the botnet, and it has evolved to control a significant number of devices over the years. XorBot is particularly known for propagating its infection by exploiting vulnerabilities in IoT devices to spread. It has been confirmed by Thawte that one of the threat actor groups Matrix, has been linked to a widespread distributed denial-of-service (DDoS) campaign which exploits devices which are connected to the Internet of Things (IoT) due to vulnerabilities or misconfiguration. 

The devices involved in this operation, including IP cameras, routers and telecom equipment, have been co-opted into a botnet for purposes of launching disruptive attacks against a network. It appears that the campaign is primarily targeting IP addresses related to China and Japan, with a lesser degree of activity present in other regions including Argentina, Brazil, and the United States. Interestingly, Ukraine has not been targeted. This suggests that the campaign is being launched for financial reasons, not for political reasons. 

As part of the matrix attack, Matrix exploits known vulnerabilities in internet-connected devices by making use of publicly available tools and scripts, including those found on platforms such as GitHub. A variety of internet-connected devices, such as IP cameras, DVRs, routers, and telecommunication equipment, are vulnerable to attacks via attack chains using known security flaws and default or weak credentials, allowing adversaries to access a wide variety of internet-connected devices. 

Besides misconfigured Telnet, SSH, and Hadoop servers, it has also been observed that this threat actor is targeting IP addresses that belong to cloud service provider (CSP) IP address ranges such as Amazon Web Services (AWS) and Microsoft Azure, as well as Google Cloud Platform and rival cloud services just to name a few. As part of the malicious activity, a large number of publicly available scripts and tools are used, which is ultimately used to deploy the Mirai botnet malware and other DDoS-related programs on compromised devices and servers, as well. 

PYbot, Pynet, DiscordGo, Homo Network, and a JavaScript program that implements a flood attack using HTTP/HTTPS, as well as a tool that enables the disabling of Microsoft Defender Antivirus running on Windows machines are all included in the toolkit. Moreover, this botnet monopolizes resources in infected devices, leading to the /tmp directory being set as a read-only directory, making it impossible for any other malware to compromise the same device. 

The operators of XorBot have taken a new focus on profitability. They openly advertise distributed denial of service (DDoS) attacks as a service, advertising themselves as the Masjesu Botnet, an alias for XorBot. According to NSFOCUS, Telegram has become a central platform for recruiting customers and promoting services, as well as providing an excellent foundation for further botnet growth and expansion. This botnet, whose activity is aimed at evading detection by using advanced evasion techniques, poses a significant threat to cybersecurity efforts, as it utilizes advanced evasion techniques. 

As part of the anti-tracking design, it uses passive online methods to connect with control servers without sending identifiers such as IP addresses, thereby preventing an automated tracking system from being set up, such as how it will wait for instructions and respond with random data to obscure the tracking attempt. In addition to that, this attack uses "code obfuscation" to further impede detection through the embedding of redundant code and the concealment of its signatures, preventing static analysis from being performed. 

In addition, XorBot implements a unique communication mechanism that minimizes its visibility over the network, thus making it more stealthy. It is evident from these sophisticated tactics that the botnet has evolved rapidly and that it faces a growing number of threats that are related to the Internet of Things. The NSFOCUS report estimates that botnet operators invest heavily in anti-detection and anti-tracking techniques, making it significantly more difficult for defence mechanisms to counter.

Volt Typhoon rebuilds malware botnet following FBI disruption

 


There has recently been a rise in the botnet activity created by the Chinese threat group Volt Typhoon, which leverages similar techniques and infrastructure as those previously created by the group. SecurityScorecard reports that the botnet has recently made a comeback and is now active again. It was only in May of 2023 that Microsoft discovered that the Volt Typhoon was stealing data from critical infrastructure organizations in Guam, which it linked to the Chinese government. This knowledge came as a result of a spy observing the threat actor stealing data from critical infrastructure organizations on US territory. 

Several Cisco and Netgear routers have been compromised by Chinese state-backed cyber espionage operation Volt Typhoon since September, to rebuild its KV-Botnet malware, which had previously been disrupted by the FBI and was unsuccessfully revived in January, reports said. A report by Lumen Technologies' Black Lotus Labs released in December 2023 revealed that outdated devices mostly powered Volt Typhoon's botnet from Cisco, Netgear, and Fortinet. 

The botnet was used to transfer covert data and communicate over unsecured networks. The US government recently announced that the Volt Typhoon botnet had been neutralized and would cease to operate. Leveraging the botnet's C&C mechanisms, the FBI remotely removed the malware from the routers and changed the router's IP address to a port that is not accessible to the botnet. 

Earlier this month, in response to a law enforcement operation aimed at disrupting the KV-Botnet malware botnet, Volt Typhoon, which is widely believed to be sponsored by the Chinese state, has begun to rebuild its malware botnet after law enforcement officials disrupted it in January. Among other networks around the world, Volt Typhoon is considered one of the most important cyberespionage threat groups and is believed to have infiltrated critical U.S. infrastructure at least for the past five years. 

To accomplish their objectives, they hack into SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, and install proprietary malware that establishes covert communication channels and proxies, as well as maintain persistent access to targeted networks through persistent access. 

Volt Typhoon was a malicious botnet created by a large collection of Cisco and Netgear routers that were older than five years, and, therefore, were not receiving security updates as they were near the end of their life cycle as a result of having reached end-of-life (EOL) status. This attack was initiated by infecting devices with the KV Botnet malware and using them to hide the origin of follow-up attacks targeting critical national infrastructure (CNI) operations located in the US and abroad. 

There has been no significant change in Volt Typhoon's activity in the nine months since SecurityScorecard said they observed signs of it returning, which makes it seem that it is not only present again but also "more sophisticated and determined". Strike team members at SecurityScorecard have been poring over millions of data points collected from the organization's wider risk management infrastructure as part of its investigation into the debacle and have come to the conclusion that the organization is now adapting and digging in in a new way after licking its wounds in the wake of the attack. 

In their findings, the Strike Team highlighted the growing danger that the Volt Typhoon poses to the environment. To combat the spread of the botnet and its deepening tactics, governments and corporations are urgently needed to address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, says Ryan Sherstobitoff, the senior vice president of SecurityScorecard's threat research and intelligence. "Volt Typhoon is not only a botnet that has resilience, but it also serves as a warning computer virus. 

In the absence of decisive action, this silent threat could trigger a critical infrastructure crisis driven by unresolved vulnerabilities, leading to a critical infrastructure disaster." It has been observed that Volt Typhoon has recently set up new command servers to evade the authorities through the use of hosting services such as Digital Ocean, Quadranet, and Vultr. Afresh SSL certificates have also been registered to evade the authorities as well. 

The group has escalated its attacks by exploiting legacy Cisco RV320/325 and Netgear ProSafe router vulnerabilities. According to Sherstobitoff, even in the short period that it took for the operation to be carried out, 30 per cent of the visible Cisco RV320/325 network equipment around the world was compromised. According to SecurityScorecard, which has been monitoring this matter for BleepingComputer, the reason behind this choice is likely to be based on geographical factors by the threat actors.

It would seem that the Volt Typhoon botnet will return to global operations soon; although the size of the botnet is nowhere near its previous size, it is unlikely that China's hackers will give up on their mission to eradicate the botnet. As a preventative measure, older routers should be replaced with more current models and placed behind firewalls. Remote access to admin panels should not be made open to the internet, and passwords for admin accounts should be changed to ensure that this threat is not created. 

To prevent exploitation of known vulnerabilities, it is highly recommended that you use SOHO routers that are not too old to install the latest firmware when it becomes available. Among the areas in which the security firm has found similarities between the previous Volt Typhoon campaigns and the new version of the botnet are its fundamental infrastructure and techniques. A vulnerability in the VPN of a remote access point located on the small Pacific island of New Caledonia was found by SecurityScorecard's analysis. As the network was previously shut down, researchers observed it being used once again to route traffic between the regions of Asia-Pacific and America, although the system had been taken down previously. 

Cybersecurity Beyond Phishing: Six Underrated Threats


Cybercriminals are continually developing new methods to exploit vulnerabilities, and even the most tech-savvy individuals and organizations can find themselves at risk. While some cyberattacks like phishing and malware are well-known, several lesser-known but equally dangerous threats require attention. This blog post explores six types of cyberattacks you might not have considered but should be on your radar.

1. Botnet Attacks

A botnet attack involves a network of compromised computers, or "bots," which are controlled by a single entity, often referred to as a "botmaster." These botnets can be used to launch large-scale cyberattacks such as Distributed Denial-of-Service (DDoS) attacks, which overwhelm a target’s resources, rendering it inaccessible. 

In 2016, hackers used the Mirai botnet to take control of millions of devices and launched a huge DDoS attack on Dyn, a major domain name server provider.

Some hackers also take over IoT devices to "brick" them, which means they damage the device’s firmware so it becomes useless. They do this for fun or to teach people about cybersecurity.

2. LLMjacking

As language models become integral in various applications, they present new cyberattack vectors. LLMjacking, or Large Language Model hijacking, involves manipulating language models to generate harmful or misleading information. 

Attackers can exploit vulnerabilities in these models to spread misinformation, influence public opinion, or even automate phishing attacks. The rise of AI-powered tools necessitates the implementation of stringent security measures to safeguard against such manipulations.

Companies that utilize cloud-hosted Large Language Models (LLMs) are at risk of LLM jacking because they possess the necessary server resources to operate generative AI programs. Hackers might exploit these resources for personal purposes, such as creating their own images, or for more malicious activities like generating harmful code, contaminating the models, or stealing sensitive information.

While an individual hijacking a cloud-based LLM for personal use might not cause significant damage, the costs associated with resource usage can be substantial. A severe attack could result in charges ranging from $50,000 to $100,000 per day for the owner.

3. Ransomware

Unlike traditional malware that aims to steal information, ransomware directly extorts victims. Attackers encrypt valuable data and demand payment, often in cryptocurrency, for the decryption key. Organizations of all sizes are potential targets, and the financial and reputational damage can be severe. Preventative measures, including regular data backups and cybersecurity training, are crucial in mitigating the risks of ransomware attacks.

4. Insider Threats

An insider threat comes from within the organization, typically from employees, contractors, or business partners who have inside information concerning the organization’s security practices. These threats can be malicious or unintentional but are dangerous due to the privileged access insiders have. 

They may misuse their access to steal sensitive information, disrupt operations, or introduce vulnerabilities. Organizations need to implement strict access controls, regular monitoring, and education to reduce the risk of insider threats.

5. Man-in-the-Middle (MitM) Attacks

Man-in-the-middle attacks occur when an attacker intercepts communication between two parties without their knowledge. The attacker can then eavesdrop, manipulate, or steal sensitive information being exchanged. 

MitM attacks are particularly concerning for financial transactions and other confidential communications. Encrypted communication channels, strong authentication methods, and educating users about potential risks are effective strategies to prevent such attacks.

6. Phishing Schemes

Phishing remains one of the most prevalent cyber threats, evolving in sophistication and technique. Attackers use deceptive emails, messages, or websites to trick individuals into divulging personal information such as usernames, passwords, and credit card details. 

Spear phishing, a targeted form of phishing, involves personalized attacks on specific individuals or organizations, making them harder to detect. Continuous cybersecurity awareness training and employing advanced email filtering solutions can help protect against phishing schemes.

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.

FBI Shuts Down Chinese Linked Botnet Campaign in a Joint Operation

FBI Joint Operation 

The FBI has cracked down on a vast botnet operation linked to a Chinese hacking group, the attackers targeted government agencies, universities, and other entities in the US. 

The Five Eyes intelligence alliance issued a joint report alerting organizations to take safety measures after finding the botnet was used to deploy DDoS attacks and compromise organizations in the US.

Flax Typhoon Involved

Talking about the threat at the Aspen Cyber Summit, Chris Wray, FBI director, said the operation was launched by the Flax Typhoon group, the attackers deployed malware on more than 200,000 customer devices. In a joint operation, the FBI and US Department of Justice were able to take hold of botnet’s infrastructure, 50% of the compromised devices were found in the US.

The hijacked devices- cameras, internet routers, and video recorders, made a large botnet to steal crucial data. The attacks were similar to another botnet campaign operated by the Volt Typhoon group, it also used web-connected devices to make a botnet that hijacked systems and stole sensitive data. 

But Flax Typhoon’s botnet also compromised a larger range of devices, compared to the router-based network by Volt Typhoon.

Flax Typhoon group disguises itself as an information security company but has a long history of working with close links to the Chinese government, says Wray.

“They represent themselves as an information security company—the Integrity Technology Group. But their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.”

Rise in State-sponsored Attacks

Although the operation was a success, says Wray, he warns that threats of state-sponsored attacks from China still exist.  Wray warned that although this operation was a success, the wider ecosystem of state-affiliated cyber attacks out of China was still alive and well.

“This was another successful disruption, but make no mistake — it’s just one round in a much longer fight. The Chinese government is going to continue to target your organizations and our critical infrastructure, either by their own hand or concealed through their proxies, and we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” Wray said.

According to a Microsoft report from 2023, Flax Typhoon has been in the game since 2021. Other reports suggest the group has been active since 2020. In the initial years, the Flax Typhoon attacked government agencies, critical manufacturing, the education sector, and IT firms in Taiwan.

The Corona Mirai Botnet: Exploiting End-of-Life IP Cameras

The Corona Mirai Botnet: Exploiting End-of-Life IP Cameras

A recent report by Akami experts highlights a troubling trend: the exploitation of a five-year-old zero-day vulnerability in end-of-life IP cameras by the Corona Mirai-based malware botnet. This blog delves into the details of this issue, its implications, and the broader lessons it offers for cybersecurity.

The Vulnerability in AVTECH IP Cameras

The specific target of this malware campaign is AVTECH IP cameras, which have been out of support since 2019. These cameras are no longer receiving security patches, making them prime targets for cybercriminals. The vulnerability in question is a remote code execution (RCE) zero-day, which allows attackers to inject malicious commands into the camera’s firmware via the network. This particular exploit leverages the ‘brightness’ function in the camera’s firmware, a seemingly harmless feature that has become a gateway for malicious activity.

The Corona Mirai-Based Malware Botnet

The Corona Mirai-based malware botnet is a variant of the infamous Mirai botnet, which has been responsible for some of the most significant distributed denial of service (DDoS) attacks in recent history. By exploiting the RCE vulnerability in AVTECH IP cameras, the malware can gain control over these devices, adding them to its botnet. Once compromised, these cameras can be used to launch DDoS attacks, overwhelm networks, and disrupt services.

The Implications of Exploiting End-of-Life Devices

The exploitation of end-of-life devices like AVTECH IP cameras underscores a critical issue in cybersecurity: the risks associated with using outdated and unsupported technology. When manufacturers cease support for a device, it no longer receives security updates, leaving it vulnerable to new threats. In the case of AVTECH IP cameras, the lack of patches for the RCE vulnerability has made them easy targets for cybercriminals.

This situation highlights the importance of regular updates and patches in maintaining the security of devices. It also raises questions about the responsibility of manufacturers to provide long-term support for their products and the need for users to replace outdated technology with more secure alternatives.

Experts Suggest These Steps

  • Ensuring that all devices receive regular updates and patches is crucial in protecting against new vulnerabilities. Users should prioritize devices that are actively supported by manufacturers.
  • Manufacturers should clearly communicate end-of-life policies and provide guidance on replacing outdated devices. Users should be aware of these policies and plan for timely replacements.
  • Implementing network segmentation can help contain the impact of compromised devices. By isolating vulnerable devices from critical systems, organizations can reduce the risk of widespread damage.

History Meets Hackers: Internet Archive Battles Ongoing DDoS Attacks

Under Siege: Internet Archive Battles Ongoing DDoS Attacks

The Internet Archive is allegedly subject to continuing DDoS (distributed denial-of-service) attacks. The attacks began over the Memorial Day holiday weekend, according to the California-based charity, and some users reported being unable to access the digital archive site for several hours on Monday.

Why target the Internet Archive?

The motives behind DDoS attacks can vary. In the case of the Internet Archive, it seems:

  • Ideological Vendetta: Some believe that the attackers oppose the archive’s mission of open access to information. Perhaps they resent the democratization of knowledge or harbor a grudge against the organization.
  • Collateral Damage: The Internet Archive hosts controversial content, including political websites, historical documents, and even old Geocities pages. An attack on the archive could inadvertently affect unrelated sites.

"Archive.org is under DDoS attack," the nonprofit's X account announced Monday morning. "The data is not affected, but most services are unavailable."

The Internet Archive’s response

The nonprofit swiftly responded to the attacks. While details about the perpetrators have not surfaced, the organization changed its infrastructure to enhance resilience. It’s a delicate balancing act: maintaining accessibility while safeguarding against future attacks.

A few hours later, the organization reported that there was some "back and forth with the attackers." The business says it made certain improvements to its service but has not yet revealed further data on the attackers' identity or any likely motive for the attack.

Multiple X users reported that the site was still down Monday afternoon, despite Internet Archive's announcement that its services had been restored. On Monday, the organization verified that the DDoS attacks have resumed.

The archive site also reported network traffic difficulties on Sunday. Brewster Kahle, the founder and board chair of the Internet Archive, stated that the troubles on Sunday could have been caused by an "over-aggressive crawling group" or a DDoS attack and that the site typically experiences more technical issues on weekends.

The Anatomy of a DDoS Attack

DDoS attacks are like digital traffic jams. They flood a target server with an overwhelming volume of requests, causing it to slow down or crash. Here’s how they work:

  • Botnet Deployment: Attackers assemble a botnet—a network of compromised computers or devices—by infecting them with malware. These bots become unwitting foot soldiers in the attack.
  • Coordination: The attacker orchestrates the botnet to send a barrage of requests to the target server. The sheer volume overwhelms the server’s capacity to respond.
  • Impact: The target server becomes sluggish or unresponsive, affecting legitimate users who rely on its services.

The bigger picture

While additional digital archive sites exist, many of them use domain extensions headquartered outside of the United States. Internet Archive was started in San Francisco, California, in 1996. Kahle has been advocating for "universal access to all knowledge" through books, websites, and other forms of media for decades.

In addition to hacks, the archive group has faced several lawsuits in recent years. In 2020, major US book publishers sued the nonprofit over the Internet Archive's digital book lending scheme, alleging copyright infringement. Last year, a judge decided that the program breached the publishers' copyright. However, the foundation continues to contend that "controlled digital lending" is fair usage.

In 2023, Sony and Universal Music sued Internet Archive over their music archives, claiming copyright violation.

FritzFrog’s Evolution: Exploiting Log4Shell Vulnerability Reveals Alarming Tactics

 

In a startling development, the notorious FritzFrog botnet, which first emerged in 2020, has undergone a significant transformation by exploiting the Log4Shell vulnerability. Unlike its traditional approach of focusing on internet-facing applications, this latest variant is now aggressively targeting all hosts within a victim's internal network, according to recent findings by Akamai researchers, a leading cybersecurity and content delivery network provider. 

Originally recognized for its use of brute-force attacks on SSH to compromise servers and deploy cryptominers, FritzFrog has adopted a new campaign named "Frog4Shell." This campaign leverages the Log4Shell vulnerability, a flaw in the widely used Log4j web tool, discovered in 2021. Despite extensive global patching efforts initiated by governments and security companies, the Log4Shell bug remains a persistent threat. 

Frog4Shell represents a paradigm shift in FritzFrog's tactics. The malware now goes beyond the conventional approach of compromising high-profile internet-facing applications. Instead, it meticulously scans and reads system files on compromised hosts to identify potential targets within internal networks, particularly vulnerable Java applications. 

This evolution is particularly concerning as it exposes neglected and unpatched internal machines, exploiting a circumstance often overlooked in previous security measures. Even if organizations have patched their high-profile internet-facing applications, FritzFrog's latest variant poses a risk to the entire internal network. 

Akamai, a leading cybersecurity and content delivery network provider, has observed over 20,000 FritzFrog attacks and identified more than 1,500 victims over the years. The malware's latest features include enhanced privilege escalation capabilities, evasion tools against cyber defences, and the potential for incorporating additional exploits in future versions. 

While approximately 37% of infected nodes are located in China, the exact location of the FritzFrog operator remains to be determined. This strategic ambiguity suggests an effort to mask the true identity or origin of the threat actor. 

As FritzFrog continues to evolve and adapt, organizations are urged to prioritize comprehensive patching strategies encompassing not only internet-facing assets but also internal hosts. The ongoing threat landscape underscores the importance of staying vigilant against sophisticated botnet tactics and proactively securing networks to mitigate potential risks associated with Log4Shell and the advanced exploits employed by FritzFrog. 

Socks5Systemz Proxy Service Impacts 10,000 Systems Globally

 

A proxy botnet identified as 'Socks5Systemz' has been infecting computers across the globe with the 'PrivateLoader' and 'Amadey' malware loaders, with 10,000 infected devices currently. 

The malware infects computers and transforms them into traffic-forwarding proxies for malicious, illegal, or concealed traffic. It supplies this service to customers who pay between $1 and $140 per day in cryptocurrency to access it. 

Socks5Systemz is detailed in a BitSight report, which clarifies that the proxy botnet has been active since at least 2016, but has remained largely unnoticed until recently. 

The Socks5Systemz bot is propagated by the PrivateLoader and Amadey malware, which are frequently distributed through phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, and other techniques.

The BitSight samples are called 'previewer.exe,' and their task is to inject the proxy bot into the host's memory and establish persistence for it through a Windows service called 'ContentDWSvc.' 

The payload for the proxy bot is a 300 KB 32-bit DLL. It connects to its command and control (C2) server via a domain generation algorithm (DGA) system and sends profiling information about the infected machine. 

In response, the C2 can issue one of the following commands: 

  • Idle: Take no action.
  • connect: Establish a connection to a backconnect server. 
  • disconnect: This command disconnects you from the backconnect server. 
  • updips: Update the list of IP addresses authorized to send traffic. 
  • upduris: Not yet implemented. 

The connect command, which instructs the bot to establish a backconnect server connection over port 1074/TCP, is critical. 

The infected device can now be used as a proxy server and sold to other threat actors once connected to the threat actors' infrastructure. It uses fields to figure out the IP address, proxy password, list of blocked ports, and so on when connecting to the backconnect server. 

These field parameters ensure that only bots on the allowlist with the required login credentials can connect with the control servers, preventing unauthorised attempts. 

Impact of illegal business

A large control infrastructure comprising 53 proxy bot, backconnect, DNS, and address acquisition servers spread largely across France and Europe (Netherlands, Sweden, Bulgaria) was mapped by BitSight. 

There are two subscription tiers for Socks5Systemz proxying services: "Standard" and "VIP." Customers can pay for their subscriptions using the anonymous (no KYC) payment gateway "Cryptomus." 

In order to be added to the bot's allowlist, subscribers must specify the IP address through which the proxied traffic will originate. 

VIP users are able to use 100–5000 threads and describe the proxy type as HTTP, SOCKS4, or SOCKS5, while standard subscribers are restricted to a single thread and proxy type. 

Unauthorised bandwidth hijacking and internet security are significantly affected by the profitable business of residential proxy botnets. These services are very popular because they are often used for circumventing geo-restrictions and shopping bots. 

A vast proxy network with over 400,000 nodes was exposed by AT&T analysts in August. Unaware Windows and macOS users were acting as exit nodes in this network, channelling other people's internet traffic.

NightOwl App is Targeting Older Macs to Siphon User Data

 

The NightOwl app, which was once a popular option for automatically transitioning between dark and light modes on macOS Mojave, has been identified to secretly store user data. 

NightOwl was initially introduced in 2018 as a third-party software to fix the lack of an automated switching capability, and it quickly attracted a user base. However, with the release of official macOS dark mode capabilities, the app became outdated.

It was recently discovered that NightOwl had been stealthily upgraded to add malicious code that transformed users' devices into botnet agents. The app turned out to be operating a local HTTP proxy without the users' knowledge or consent, transferring their IP data through a server network.The app's settings could not be disabled, forcing users to enter commands in the Terminal app to delete the code from their devices. 

Due to the removal of the app from the NightOwl website and app store, it is unclear how many individuals were impacted by this criminal activity. The app's website says that over 27,000 users have downloaded it more than 141,000 times. The NightOwl proprietors claim that they are cooperating with antivirus firms to swiftly resolve the issue and deny any misconduct.

Taylor Robinson, a web developer who identified the app's nefarious activity, identified that NightOwl was purpose-built to remain anonymous. The botnet connection was created on the device's principal user account and executed every time booted up. The app's owners claimed that they merely collected users' IP addresses and that this was indicated in their terms and conditions. 

While there is no proof that more than IP addresses were collected, the app owners went to considerable length to hide their trails. The app's terms of service were amended in June, adding language that required users' computers to act as a gateway for sharing internet traffic with third parties. 

The NightOwl app serves as a warning tale for users to be aware of third-party software and to frequently evaluate their installed programmes for any potential privacy or security risks.

Ransomware Makes Up 58% of Malware Families Sold as Services

 

Ransomware has emerged as the most pervasive Malware-as-a-Service (MaaS) during the past seven years, according to a new study from the Kaspersky Digital Footprint Intelligence team. Based on analysis of 97 malware families that were disseminated via the dark web and other sites, the study was undertaken. The researchers also discovered that hackers frequently rent infostealers, botnets, loaders, and backdoors to conduct their attacks.

An illegal business concept called malware-as-a-service (MaaS) involves renting out software to commit cyberattacks. Clients of these services are typically provided with a personal account via which they may manage the attack as well as technical support. 

Ransomware the most widely used malware-as-a-Service

In order to determine the popular types, Kaspersky's experts assessed the sale quantities of different malware families as well as mentions, debates, posts, and search advertising on the darknet and other sites regarding MaaS. The dominant force turned out to be ransomware, or malicious software that encrypts data and demands payment to decrypt it. Of all the families supplied under the MaaS model between 2015 and 2022, it accounted for 58%. Ransomware's appeal can be ascribed to its capacity to produce greater earnings than other forms of malware in a shorter amount of time.

Ransomware-as-a-service (RaaS) allows cybercriminals to "subscribe" for nothing. They start paying for the service after the attack occurs after they are partners in the programme. A portion of the victim's ransom payment, usually between 10% and 40% of each transaction, determines the payout amount. Entering the programme, meanwhile, is not an easy undertaking because there are strict qualifications. 

Infostealers made up 24% of malware families offered as a service throughout the analysed time frame. These are malicious software meant to steal information, including usernames, passwords, banking information, browsing history, data from cryptocurrency wallets, and more. 

Subscription-based payment methods are used for infostealer services. The cost per month ranges from 100 to 300 dollars in the United States. For instance, Raccoon Stealer, which was cancelled in the first few days of February 2023, could be purchased for 275 dollars per month or 150 dollars per week. According to information provided on the Darknet by its operators, RedLine's rival charges 150 dollars a month and also offers the chance to buy a lifetime licence for 900 dollars. 

Botnets, loaders, and backdoors were found to be present in 18% of malware families offered as services. Since many of these threats share the same objective—uploading and running further malware on the victim's device—they are grouped together as a single threat. 

Prevention tips

Kaspersky experts advise the following to safeguard your business from such threats: 

  • To stop hackers from breaking into your network by taking advantage of vulnerabilities, keep the software updated on all the devices you use.
  • Update your systems with fixes as soon as new vulnerabilities are discovered. Threat actors cannot exploit the vulnerability after it has been downloaded. 
  • To stay informed about the real TTPs employed by threat actors, use the most recent threat intelligence data. 
  • Investigate an adversary's perception of your company's resources with the aid of Kaspersky Digital Footprint Intelligence to quickly identify any potential attack vectors you may have. This also aids in spreading awareness of the threats that cybercriminals are currently posing so that you can timely alter your defences or implement countermeasures and elimination strategies.

Chinese APT Group Hijacks Software Updates for Malware Delivery

An advanced persistent threat (APT) group from China, known as Evasive Panda, has been discovered to be hijacking legitimate software update channels of Chinese-developed applications to deliver custom malware to individuals in China and Nigeria for cyber-espionage purposes. Researchers from Eset discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses. The modular malware allows Evasive Panda to spy on victims and enhance its capabilities on the go.

The APT group's activity was fairly easy to attribute to Evasive Panda as researchers have never observed any other threat actors using the MgBot backdoor. The attacks have been ongoing for two years, and the primary goal is to steal credentials and data for espionage purposes. This is another example of state-sponsored actors' increasing sophistication and persistence in cyberspace.

Using legitimate software update channels is a clever technique employed by the group to avoid detection by traditional security measures. Once the malware is delivered through the update, it can operate in the background undetected, and the APT group can exfiltrate sensitive information from the victim's device.

This discovery highlights the importance of maintaining a secure software supply chain and the need for constant vigilance in monitoring the activity of state-sponsored threat actors. Organizations and individuals should always keep their software up to date, maintain robust security measures, and be wary of any suspicious activity or unexpected system changes.

The Eset researchers noted that the MgBot malware has been specifically customized for each victim, suggesting a high degree of sophistication and customization by the APT group. This type of advanced malware is difficult to detect and defend against, making it imperative for individuals and organizations to be proactive in their cybersecurity measures.

Google Takes Down Cryptbot Malware Infrastructure

Google has taken down the infrastructure and distribution network linked to the Cryptbot info stealer, a malware that was being used to infect Google Chrome users and steal their data. The move comes after the tech giant filed a lawsuit against those using the malware to carry out illegal activities.

Cryptbot is a type of malware that steals sensitive information from infected devices, including usernames, passwords, and credit card details. The malware is typically spread through phishing emails and malicious websites, and can be difficult to detect and remove once it has infected a device.

Google's lawsuit targets the infrastructure and distribution network behind the Cryptbot malware, with the aim of disrupting its operations and reducing the number of victims. By taking down the infrastructure, Google hopes to make it harder for cybercriminals to distribute the malware and infect new devices.

The move is part of Google's ongoing efforts to protect its users from cyber threats and keep its platform safe and secure. In recent years, the company has invested heavily in developing advanced security measures to detect and prevent malware and other malicious activities.

However, cybercriminals are constantly evolving their tactics and finding new ways to exploit vulnerabilities in systems and software. This means that companies like Google need to stay vigilant and proactive in their efforts to protect their users.

In addition to taking down the Cryptbot infrastructure, Google is also urging Chrome users to take steps to protect themselves from malware and other cyber threats. This includes keeping their software up to date, using strong and unique passwords, and being wary of suspicious emails and websites.

Google's efforts to disrupt the Cryptbot malware operation are an important step in the fight against cybercrime. By targeting the infrastructure and distribution network behind the malware, the company is helping to reduce the number of victims and make the internet a safer place for everyone.

HinataBot: The Growing DDoS Threat

 

The emergence of the HinataBot botnet has the cybersecurity community on high alert, as it has the potential to launch massive DDoS attacks with a capacity of 3.3 Tbps. This new botnet, which is based on Golang and exploits vulnerable devices, was first discovered by cybersecurity researchers in March 2023.

According to experts, the HinataBot botnet is incredibly sophisticated and could be difficult to detect and remove. It is also highly scalable, which means that it can easily expand to include thousands or even millions of devices. This makes it a serious threat to businesses and organizations of all sizes.

The HinataBot botnet is able to exploit devices that have not been properly secured, such as those that still use default login credentials. Once it has gained access to a device, it can then be used to launch DDoS attacks, which can disrupt entire networks and cause significant financial and reputational damage to businesses.

As of now, it is not clear who is behind the HinataBot botnet, but it is suspected to be a criminal group with sophisticated skills and resources. It is believed that the botnet is being used for financial gain, such as through ransom demands or by using it to extort businesses and organizations.

To protect against the threat of the HinataBot botnet, it is important to ensure that all devices are properly secured with strong passwords and up-to-date security software. Additionally, businesses and organizations should regularly monitor their networks for any signs of suspicious activity and have a comprehensive incident response plan in place.

In conclusion, the emergence of the HinataBot botnet is a reminder of the ongoing threat posed by cybercriminals and the need for businesses and organizations to remain vigilant and take proactive steps to protect their networks and data. Failure to do so could result in devastating consequences, both financially and operationally.

Emotet Recurs: Avoids Macro Security Using OneNote Attachments

 

Microsoft OneNote email attachments are now being used to spread the infamous Emotet malware, which is making a brief comeback. This malware aims to compromise systems by getting around macro-based security measures. 

Despite attempts by law enforcement to neutralise it, Emotet, connected to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, remains a formidable and tenacious menace. 

Emotet is a variant of the banking worm Cridex, which was later replaced by Dridex around the time GameOver Zeus was shut down in 2014. Since then, Emotet has developed into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion."

While Emotet infections served as a conduit for Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its reappearance in late 2021 was made possible by TrickBot. 

"Emotet is renowned for extended periods of inactivity, which often occur numerous times per year, during which the botnet maintains a steady-state but does not send spam or malware," Secureworks writes in its profile of the actor. 

Dropper malware is typically disseminated via spam emails with malicious attachments. Nevertheless, with Microsoft taking steps to prevent macros from being included in downloaded Word files, OneNote attachments have emerged as an intriguing alternative avenue.

"The OneNote file is basic but effective at social engineering users with a bogus message claiming that the document is protected," Malwarebytes explained in a new alert. "Victims will accidentally double-click on an embedded script file when told to double-click on the View button." 

The Emotet binary payload can be retrieved and run from a remote server using the Windows Script File (WSF). Cyble, IBM X-Force, and Palo Alto Networks Unit 42 have all made results that are in line with ours. Nonetheless, Emotet still makes use of booby-trapped documents with malicious macros to spread its payload, luring users using social engineering tricks to enable the macros that start the attack cycle. 

According to several reports from Cyble, Deep Instinct, Hornetsecurity, and Trend Micro, such documents have been seen to use a method known as a "decompression bomb" to cloak an extremely large file (more than 550 MB) within ZIP archive attachments so that it would go unnoticed.

This is accomplished by padding the document with 00-bytes at the conclusion in order to artificially increase the file size and go beyond the restrictions set by anti-malware programmes.

The most recent advancement shows how adaptable and quick the operators are when adjusting attachment types for initial delivery to avoid detecting signatures. It also coincides with a rise in the number of OneNote documents being used by threat actors to disseminate a variety of malware, including AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm. 

Manufacturing, high-tech, telecom, finance, and energy are emerging as the top targeted sectors, according to Trellix, which claims that the majority of malicious OneNote detections in 2023 have been reported in the U.S., South Korea, Germany, Saudi Arabia, Poland, India, the U.K., Italy, Japan, and Croatia.

Beware of Bot Malware: Understanding the Dangers and How to Protect Your Computer


How Bot Malware Spreads and Infects Your Computer

Bot malware, also known as botnet malware, is a type of malicious software designed to create a network of infected computers or "bots" that can be remotely controlled by a hacker. These bots are typically used for a variety of nefarious purposes, including launching distributed denial of service (DDoS) attacks, stealing personal and financial information, and spreading other types of malware.

Bot malware typically spreads through a variety of methods, including email attachments, malicious websites, and infected software downloads. Once it infects a computer, the malware will attempt to connect to a command-and-control (C&C) server controlled by the hacker. This server can then send instructions to the infected bots, which can include tasks such as launching a DDoS attack on a target website or stealing sensitive information from the infected computer.

The Dangers of Bot Malware and Its Ability to Cause Significant Damage

One of the biggest dangers of bot malware is its ability to quickly spread and infect large numbers of computers. Once a botnet has been established, the hacker can use it to launch coordinated attacks on a wide range of targets, including businesses, government agencies, and individuals. These attacks can cause significant damage, both in terms of financial losses and reputational damage.

How to Detect and Remove Bot Malware from Your Computer

Bot malware can also be difficult to detect and remove. Because it operates in the background of an infected computer, it may not show any obvious signs of infection. This means that the malware can continue to spread and cause damage without the user even realizing that their computer has been compromised. Additionally, bot malware may be designed to evade traditional antivirus software, making it even more difficult to detect and remove.

To protect against bot malware, it is important to follow best practices for computer security. This includes keeping software up to date with the latest security patches, using strong passwords and two-factor authentication, and being cautious when opening email attachments or downloading software from unknown sources. It is also important to use antivirus software and regularly scan your computer for malware.

Best Practices for Protecting Your Computer Against Bot Malware

If you suspect that your computer has been infected with bot malware, it is important to take immediate action to remove the malware and prevent further damage. This may involve using specialized malware removal tools or seeking the assistance of a professional computer security expert.

In conclusion, bot malware is a dangerous and pervasive threat that can cause significant damage to individuals and organizations alike. By following best practices for computer security and being vigilant for signs of infection, you can help protect yourself from this type of malware and reduce the risk of falling victim to a botnet attack.




Cybercriminals Use ChatGPT to Ease Their Operations

 

Cybercriminals have already leveraged the power of AI to develop code that may be used in a ransomware attack, according to Sergey Shykevich, a lead ChatGPT researcher at the cybersecurity firm Checkpoint security.

Threat actors can use the capabilities of AI in ChatGPT to scale up their current attack methods, many of which depend on humans. Similar to how they aid cybercriminals in general, AI chatbots also aid a subset of them known as romance scammers. An earlier McAfee investigation noted that cybercriminals frequently have lengthy discussions in order to seem trustworthy and entice unwary victims. AI chatbots like ChatGPT can help the bad guys by producing texts, which makes their job easier.

The ChatGPT has safeguards in place to keep hackers from utilizing it for illegal activities, but they are far from infallible. The desire for a romantic rendezvous was turned down, as was the request to prepare a letter asking for financial assistance to leave Ukraine.

Security experts are concerned about the misuse of ChatGPT, which is now powering Bing's new, troublesome chatbot. They see the potential for chatbots to help in phishing, malware, and hacking assaults.

When it comes to phishing attacks, the entry barrier is already low, but ChatGPT could make it simple for people to proficiently create dozens of targeted scam emails — as long as they craft good prompts, according to Justin Fier, director for Cyber Intelligence & Analytics at Darktrace, a cybersecurity firm.

Most tech businesses refer to Section 230 of the Communications Decency Act of 1996 when addressing illegal or criminal content posted on their websites by third party users. According to the law, owners of websites where users can submit content, such as Facebook or Twitter, are not accountable for what is said there. Governments should be in charge of developing and enforcing legislation, according to 95% of IT respondents in the Blackberry study.

The open-source ChatGPT API models, which do not have the same content limitations as the online user interface, are being used by certain hackers, according to Shykevich.ChatGPT is notorious for being boldly incorrect, which might be an issue for a cybercriminal seeking to create an email meant to imitate someone else, experts told Insider. This could make cybercrime more difficult. Moreover, ChatGPT still uses barriers to stop illegal conduct, even if the correct script can frequently get around these barriers.

 Massive DDoS Attack was Thwarted by Cloudflare

 

Prioritized firms like gaming providers, hosting providers, cloud computing platforms, and cryptocurrency enterprises, according to Cloudflare, emanated from more than 30,000 IP addresses.
The greatest volumetric distributed denial-of-service (DDoS) attack that Cloudflare has seen to date was stopped.

The greatest attack, which is the largest documented HTTP DDoS attack, topped 71 million rps, per Cloudlare's analysis. The volume is 35% greater than the previous record, 45 million rps from June 2022, which had been recorded.

The FBI accused six suspects of their involvement in running 'Booter' or 'Stresser' platforms, which anybody can use to execute DDoS attacks, in response to this stream of continuously escalating attacks, and seized dozens of Internet domains. Operation PowerOFF, a larger, more coordinated worldwide law enforcement operation against DDoS-for-hire services, included the action.

Cloudflare has been collaborating with the victims to strike down the botnet and is providing service providers with a free botnet threat feed that will transmit threat intelligence from their IP and any ongoing attacks coming from their hosted autonomous system.

Researchers cautioned entities to take action immediately before the next campaign: protecting against DDoS attacks is crucial for organizations of all sizes, even while DDoS attacks on non-critical websites might not result in permanent harm or safety hazards. DDoS attacks against internet-facing equipment and patient-connect technology in the healthcare industry put patients' safety at risk.



IcedID Botnet Distributors Abuse Google PPC to Disseminate Malware

 

To improve traffic and sales, businesses utilize Google Ads to deliver adverts to specific target populations. The IcedID botnet distributors have been using SEO poisoning, since the beginning of December to entice search engine users to visit phoney websites that result in the download of malware.
In order to display malicious ads above the organic search results, attackers are choosing and ranking keywords used by well-known businesses and applications in Google pay-per-click (PPC) ads.
  • Attackers are abusing terms used by organizations including Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others, according to Trend Micro researchers.
  • Attackers employ the official Keitaro Traffic Direction System (TDS) to duplicate the websites of reputable companies and well-known applications in order to filter researcher and sandbox traffic and direct potential victims there.
  • A malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded onto the user's computer if they click the Download button.
  • The file serves as the bot's initial loader, obtaining the bot's core before releasing a backdoor payload.
 Escaping Detection:

IcedID operators have employed a number of strategies in malvertising attacks to make detection difficult. Libraries like tcl86.dll, sqlite3.dll, conEmuTh.x64.dll, and libcurl.dll, which are well-known and often used, are among the files updated to serve as IcedID loaders.

Since the genuine and modified versions of the MSI or installer files are so similar, machine learning detection engines and whitelisting systems have a difficult time identifying the modified versions.

In recent months, cybercriminals have utilised IcedID to establish persistence on the host, get initial access, and carry out other illegal activities. Attackers were seen utilising phishing emails in Italian or English in October to distribute IcedID through ISO files, archives, or document attachments that contained macros. The UAC-0098 group was observed in September using IcedID and Cobalt Strike payloads to target Ukrainian NGOs and organisations in Italy.

IcedID was being used by Raspberry Robin worm infestations in the same month. Recently, a wide range of distribution techniques has been used by the threat actors behind IcedID, as is to be expected as they test which tactics are most effective against certain targets. Users should be on the lookout for fraud or phishing websites and be cautious while downloading from websites.

New Botnet Targeting Minecraft Servers Could be a Threat to Enterprises


Enterprises are being affected significantly more by the constant spread of a newly discovered botnet, that is apparently targeting private Minecraft Java servers than simply bumming out a biome. 

According to a report published by researchers at Microsoft on December 16, this new botnet is utilized in order to aid DDoS attacks on Minecraft servers. This may sound trivial, but enterprises must take an account since this botnet could potentially as well target Windows and Linux devices, spreading rapidly without being detected. 

Launch of The Attack

The attack begins with the online user downloading malicious downloads of “cracked” Windows licenses.  

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices […] Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet," the Defender team explains in a report. 

The security researchers further recommend that organizations strengthen their device network in order to evade any such threats. It was furthermore revealed that most of the devices infected were in Russia. 

Enterprises Beware

The sheer number of potentially targeted servers and the scarce cyber protection on private Minecraft servers, make this botnet a threat to be taken seriously by the cybersecurity teams, warns Patrick Tiquet, Vice president of security architecture at Keeper Security. 

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets […] Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future," he explains. 

Besides the malware, Microsoft’s recommendations are a smart idea for safeguarding the company against all kinds of botnets, not simply those that target Minecraft, according to Mike Parkin of Vulcan Cyber.